Malware Analysis Report

2024-10-16 05:14

Sample ID 231222-s8amtadfc2
Target e06e64a7cc93a7372554f4fa74c3b54c
SHA256 b34545c6faf06eab1ca4db9d5378a0ca775d4d45e5b2fb6ee88e07180d240c70
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b34545c6faf06eab1ca4db9d5378a0ca775d4d45e5b2fb6ee88e07180d240c70

Threat Level: Known bad

The file e06e64a7cc93a7372554f4fa74c3b54c was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:47

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:47

Reported

2023-12-24 04:42

Platform

win7-20231215-en

Max time kernel

54s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595327e8ca0b6b69b26b C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 330f5167e22384b15c4e3d68284df99f4aa12ffd84da45ccc3cd941a8f0716b260c3fb9731c84ccc87a2f05344a3eaf6d4772ae897276f92faaa54bbee60f65d8b3a7d82 C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe" -service -lunch

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 097a18ed7b31114c7ef39ef06eff02f0
SHA1 276bb5fc8ab72ed3a447dd57be668ace8f75a7c1
SHA256 985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812
SHA512 168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

C:\ProgramData\AMMYY\hr3

MD5 7d0bc0f42b0c1407e78ed285c5224a58
SHA1 e0ed0070c6c651853c7e494e9060ed49eec0b872
SHA256 5c77d0b633d9526d1de705a513fc646d922c26bb7c9b30831bc8991cfb35b4f0
SHA512 9385c0b177c40418a8a13cdd32ba3aeeec5640072e1c4ae7f844e360899562bb5322e2481606e0e2361b70f70247c7eb64f42a734c07d2e90b03d1e5cba73d6d

C:\ProgramData\AMMYY\hr

MD5 231f00983dd712c247e780357a93433c
SHA1 03f56695c42d485857214aa6f3cdafc78a1f1d98
SHA256 afdb4bdd11cae1f6a6c30e3530c1f3c029ef1a330a54546134563f8b2a7d031a
SHA512 ce71a8b529c7d89ec395359233ef24a55b6af747256e462b8a1868a7776c50ac459e86377741dcbb2e7d4c6c92b534146f83373904bf567018f90e81b6bb6a50

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:47

Reported

2023-12-24 04:42

Platform

win10v2004-20231215-en

Max time kernel

17s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253d39e600d6b69b26b C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 95134326047501267ce156cb224673bf8d0419c8af55a2fd9c2fccf836ee9b47ab42adbb9a564acfdddc17b061532586a1295e2d291b680e0752736c0b5b79de4bf1643f C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\hr3

MD5 07b07bdd9dc68cb2bd6a98238c80d041
SHA1 a58a8d71c55898f3f1dac7a121f953d4eb0b4445
SHA256 cbb9d0b5f9cbe7ba23946dec1287622bcc241d2cdfb2e677fd926c5446041779
SHA512 ce1281414551b659bcf2bdb5f23261d3bfb01a00d1e6e9d4a358dd0157dcd5e7c8b489a735a129fd79f4a0c5deb52a25e003b304f9f7e450a3349957b058f77c

C:\ProgramData\AMMYY\hr

MD5 4ef1b181641e1cc03ad6066c08f87387
SHA1 81ec33e66223bde297bf3f092fe5ec5d96f6b69b
SHA256 35ca50a2d46f0229caf5d11ea6dae8bea80131f5cf0b4057271c23c06bf26bed
SHA512 eca848a737d1a007e39e9cf5af11cb5c6200c15c24286980201c43b274aa0f15bc6ce03b780aaa5a87a77e3bbe8283c779d3648a7a47e1e7dd41f38f5d9f42f0