Malware Analysis Report

2024-10-16 05:10

Sample ID 231201-smrdfaca33
Target 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe.zip
SHA256 1bac901d570725c59941c9164ca32fde855608e99f6d1819bc40bcd7ae9183cc
Tags
flawedammyy trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1bac901d570725c59941c9164ca32fde855608e99f6d1819bc40bcd7ae9183cc

Threat Level: Known bad

The file 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe.zip was found to be: Known bad.

Malicious Activity Summary

flawedammyy trojan ammyyadmin

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 15:14

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 15:14

Reported

2023-12-01 16:53

Platform

win7-20231020-en

Max time kernel

151s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953977284813e7bb26b C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4d8753afb210d883acc3aebafd730c08c40f8beb5920abf001ec0e18a4a1744ddd5478da770961e07406d640bb571d06ed577744a0a22f0a675af9d7eaee69dc6cd91075 C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr3

MD5 c406ccab2cb70d086e24454b7a5fb83c
SHA1 db1acc08b9767518bbf7de2ab3ab4750be094097
SHA256 801724a6639045a4cf12a2cca17db4008284a5b9d45963c38cf307c4babbd69d
SHA512 c7f29f1ab313bab9b4b617cfea5d15c1be5651ae5ad718b91cc4cab58727fb8b950c0a1d7748287b6ee81f7bcf6b5b4406e5ff278d9eef8c8a9f6a32222b3ca2

C:\ProgramData\AMMYY\hr

MD5 2cbb8be561d9c16a3ed0c912d65f2a1a
SHA1 6e42d690cedf002197263a9ca32064d97eb9127b
SHA256 d1f696145c72a0ba3d12302210e73215df6f77918e06e7b8d85675301648c190
SHA512 488b6f006253c0c246979c72bfce0b00fb6a622dfeaf4aa3ec43c0ceefaa4119558953f473109153324f7f2994239ecbd85298dcf810d47db8e5029a69f69eea

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-01 15:14

Reported

2023-12-01 16:53

Platform

win10v2004-20231127-en

Max time kernel

170s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = cdbfe6aca5d518ec0bdc264e18cae3eb0b39eccabc12289b6ce4fcfe8be1cee67a83910ea94b6f76e52419186b47a52a2f9466fe1466ddf69d3e7af8f2f0f97700452216 C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552531f2fe3aa3e7bb26b C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 22f784067541187933d35a5b96eaa760
SHA1 27ea88394a07f26c754000e9bd978accc8c6535d
SHA256 753573f0c0e67d536f0021860914586c0b29ad744e65ca4afb8daf7bd3494329
SHA512 ea16bbb8a11753e14244146f7760a32ff571a7542cc19af23f5eaa0cf63e22ccce0915c11e68f867f48eae3cfc59075eb8eb7b0d4cd38e617cb733118274f7a0

C:\ProgramData\AMMYY\hr3

MD5 32ab3de2e311a5c20a07af98d185f029
SHA1 342b41b34d23fd68bd8deca6c578ce6071dfd3f5
SHA256 7a8febc62f95972bb71cb4557c111dec4f5293f7cd7a1b8997017f71c340d413
SHA512 b4cb02f5e67798aeffbde0f109f81adbd71523e19488a7799a24d25dc35414259b1ed16c626eda738db2fb74420a210e04467392915fa7b2deae5251dbcc706f