Analysis Overview
SHA256
e1b9d77cb265711831aca195fb1ca299b9e6b2df18b8c086c26876151f57e837
Threat Level: Known bad
The file 5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe.zip was found to be: Known bad.
Malicious Activity Summary
FlawedAmmyy RAT
AmmyyAdmin payload
Ammyyadmin family
Checks computer location settings
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 15:13
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 15:13
Reported
2023-12-01 16:41
Platform
win7-20231023-en
Max time kernel
152s
Max time network
149s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | N/A |
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe
"C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe"
C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe
"C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe
"C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 097a18ed7b31114c7ef39ef06eff02f0 |
| SHA1 | 276bb5fc8ab72ed3a447dd57be668ace8f75a7c1 |
| SHA256 | 985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812 |
| SHA512 | 168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96 |
C:\ProgramData\AMMYY\hr
| MD5 | 7f16043508f54f257672e167a6e8000c |
| SHA1 | 7f62bab059fa0dd921f778bd6c56c7292d495ec4 |
| SHA256 | 528571f1010011c659d884c1dd1c08c836a19d99db6ccaad16b5b52ebfa3a5df |
| SHA512 | 4e49850697edd38fe44d382587afbf94075a6d2a113addecc3ec416631c916a3eab2507bed2f51a1e204921b4fbacc856e2a8ac2abf9b857efc1ae26626344fe |
C:\ProgramData\AMMYY\hr3
| MD5 | 8684abe446d56e9ffbc97ed90461e902 |
| SHA1 | 3cf893aeedcd98309fac54b64e2445a87924e3d6 |
| SHA256 | 22958043672957d1d9fb25d103998b5636836caa0a8e105b7568579535e09f15 |
| SHA512 | 9e9eff6ba60a02864318c0e6c4bdb569e73e9aa43e609e8b69fbd393ced19cf347b9751a068d6c171034c7602f687ca945f58f945894139d5bebdba93e01702a |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 15:13
Reported
2023-12-01 16:42
Platform
win10v2004-20231127-en
Max time kernel
177s
Max time network
192s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | N/A |
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3768 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe |
| PID 3768 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe |
| PID 3768 wrote to memory of 4424 | N/A | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe | C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe
"C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe"
C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe
"C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe
"C:\Users\Admin\AppData\Local\Temp\5767921da620f5755d8ebb63c78fa3c2806003eede39253806813724e62f632a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 152.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 097a18ed7b31114c7ef39ef06eff02f0 |
| SHA1 | 276bb5fc8ab72ed3a447dd57be668ace8f75a7c1 |
| SHA256 | 985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812 |
| SHA512 | 168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96 |
C:\ProgramData\AMMYY\hr
| MD5 | ef49c4e52a158492dafdc8bc32b3d9f9 |
| SHA1 | d00905acfd74e3f1690c0dce056c642bc93eb2ea |
| SHA256 | 1f5f6723edf7d345b336c7aa18f624ff6d14ed4af28a0d5cd6db531bb00cf9de |
| SHA512 | e016d3b586858ef50c8e8d1a2de7ca5f693cf4c0b255f5935f7f54fbde775bd36ad99023698b8e3f3bf4dd69f48186fa080dc02487ad27afebf1a7f6df3ebde6 |
C:\ProgramData\AMMYY\hr3
| MD5 | 65004bc7e97cdefcb0b5136d49a3190b |
| SHA1 | 401a12c244b16b49869a792eceb7415b0ebbb653 |
| SHA256 | 4e35a5ebcfbd651f4d37e05db52df93b58e22d007b03a608dfe6b41f432dad17 |
| SHA512 | 7074f878deef41e72a6212c8e651eedb014e39cf2c76dd35dec88647fa1b1a7bc5e9422214d0b111854d3eecf56b88229783c3355bb196c27fa270ee748bc881 |