Analysis Overview
SHA256
b34545c6faf06eab1ca4db9d5378a0ca775d4d45e5b2fb6ee88e07180d240c70
Threat Level: Known bad
The file e06e64a7cc93a7372554f4fa74c3b54c was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 15:47
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 15:47
Reported
2023-12-24 04:42
Platform
win7-20231215-en
Max time kernel
54s
Max time network
140s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595327e8ca0b6b69b26b | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 330f5167e22384b15c4e3d68284df99f4aa12ffd84da45ccc3cd941a8f0716b260c3fb9731c84ccc87a2f05344a3eaf6d4772ae897276f92faaa54bbee60f65d8b3a7d82 | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1988 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe |
| PID 1988 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe |
| PID 1988 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe |
| PID 1988 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe" -service -lunch
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 097a18ed7b31114c7ef39ef06eff02f0 |
| SHA1 | 276bb5fc8ab72ed3a447dd57be668ace8f75a7c1 |
| SHA256 | 985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812 |
| SHA512 | 168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96 |
C:\ProgramData\AMMYY\hr3
| MD5 | 7d0bc0f42b0c1407e78ed285c5224a58 |
| SHA1 | e0ed0070c6c651853c7e494e9060ed49eec0b872 |
| SHA256 | 5c77d0b633d9526d1de705a513fc646d922c26bb7c9b30831bc8991cfb35b4f0 |
| SHA512 | 9385c0b177c40418a8a13cdd32ba3aeeec5640072e1c4ae7f844e360899562bb5322e2481606e0e2361b70f70247c7eb64f42a734c07d2e90b03d1e5cba73d6d |
C:\ProgramData\AMMYY\hr
| MD5 | 231f00983dd712c247e780357a93433c |
| SHA1 | 03f56695c42d485857214aa6f3cdafc78a1f1d98 |
| SHA256 | afdb4bdd11cae1f6a6c30e3530c1f3c029ef1a330a54546134563f8b2a7d031a |
| SHA512 | ce71a8b529c7d89ec395359233ef24a55b6af747256e462b8a1868a7776c50ac459e86377741dcbb2e7d4c6c92b534146f83373904bf567018f90e81b6bb6a50 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 15:47
Reported
2023-12-24 04:42
Platform
win10v2004-20231215-en
Max time kernel
17s
Max time network
149s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253d39e600d6b69b26b | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 95134326047501267ce156cb224673bf8d0419c8af55a2fd9c2fccf836ee9b47ab42adbb9a564acfdddc17b061532586a1295e2d291b680e0752736c0b5b79de4bf1643f | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 348 wrote to memory of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe |
| PID 348 wrote to memory of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe |
| PID 348 wrote to memory of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe | C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\hr3
| MD5 | 07b07bdd9dc68cb2bd6a98238c80d041 |
| SHA1 | a58a8d71c55898f3f1dac7a121f953d4eb0b4445 |
| SHA256 | cbb9d0b5f9cbe7ba23946dec1287622bcc241d2cdfb2e677fd926c5446041779 |
| SHA512 | ce1281414551b659bcf2bdb5f23261d3bfb01a00d1e6e9d4a358dd0157dcd5e7c8b489a735a129fd79f4a0c5deb52a25e003b304f9f7e450a3349957b058f77c |
C:\ProgramData\AMMYY\hr
| MD5 | 4ef1b181641e1cc03ad6066c08f87387 |
| SHA1 | 81ec33e66223bde297bf3f092fe5ec5d96f6b69b |
| SHA256 | 35ca50a2d46f0229caf5d11ea6dae8bea80131f5cf0b4057271c23c06bf26bed |
| SHA512 | eca848a737d1a007e39e9cf5af11cb5c6200c15c24286980201c43b274aa0f15bc6ce03b780aaa5a87a77e3bbe8283c779d3648a7a47e1e7dd41f38f5d9f42f0 |