Analysis Overview
SHA256
847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
Threat Level: Known bad
The file 18966a28fba7a616962f90694009a466 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-24 23:13
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-24 23:13
Reported
2023-12-26 03:21
Platform
win7-20231215-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953c79e850fe268b26b | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 0708e9edba844bcfdb446a39a122f52cba8169043a817ac60a3bd4b1f7a685f0f4cbb80f885231b268503a37150313c30b66dcb47971cbc783fd9954774ee28ce779cf68 | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2144 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 2144 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 2144 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 2144 wrote to memory of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 0ab37e79601368085b4631f7a9c5597f |
| SHA1 | 7144ec339f1a518775a4719f3c1b5b2572775c1f |
| SHA256 | 142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565 |
| SHA512 | 7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55 |
C:\ProgramData\AMMYY\hr
| MD5 | a1bbe8de5b26474bae5b00bc35ebfead |
| SHA1 | e7ded2486fbfbc7825b25b7f1e3f6fc5f5d7525b |
| SHA256 | aa5580d4fad6ccc7902f4ed6f71f41468f11d9c798de6ba4f31796cc23646f72 |
| SHA512 | ab71c8216cd7f410a91e1c76a5e91640f658639f13deb703099804f8aaa661c40dd22be3cb413a533d9934d405590cf6dd3ff127fb85e6f10cc4e06aead5c21c |
C:\ProgramData\AMMYY\hr3
| MD5 | 383fd9d7b9f1cd08006889911228040b |
| SHA1 | dc2bbded0248d8965316d8141cac3495c2d84268 |
| SHA256 | 1d614a88e7df62cb9b37c0c359a372fecbae500f1296f5af4fb80f5730635d0d |
| SHA512 | dda4f53226eb34a8c0a6184983aec18df333e26c99235807d3762a047755312d0d5cff23cae3471940c4975641df0adc3bf37e8351295a3bc3c251c3efc77ab5 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-24 23:13
Reported
2023-12-26 03:21
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552532bd9a10be268b26b | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = c2da8fc5fcc2c9166331042e917aeeac8b6bab19551b51d4cd11b7bd85277818671584d8cb572c360db3bbe896dded56e5dc03169642f765b6bcb6b045410744a648afcc | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2280 wrote to memory of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 2280 wrote to memory of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 2280 wrote to memory of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 0ab37e79601368085b4631f7a9c5597f |
| SHA1 | 7144ec339f1a518775a4719f3c1b5b2572775c1f |
| SHA256 | 142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565 |
| SHA512 | 7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55 |
C:\ProgramData\AMMYY\hr
| MD5 | 74815f2583a01dd553c3069e2c9ca16b |
| SHA1 | efe5917d4beae084419d0af0e2c92c82ac20b13b |
| SHA256 | 9af3723ecc9e7a954c973201a0f056029d62b8318f27ed4eaa10966da354603b |
| SHA512 | 40d56c7fcd9c1eaf3c228df9b79a83fb6a5a8e066f48a3c3c11e71f496d32b6f8fc08f9c25e36439c93d891b17911d9cba67e52d1d4d81da0533aa0260fa235d |
C:\ProgramData\AMMYY\hr3
| MD5 | 93c105c12c965d01a26c9e0cbd3b2727 |
| SHA1 | 42f714404d61e52eed232f510efa4474bb13961a |
| SHA256 | 87da020507295b9fa549be759a57d911ba56385451452cdf62b42f2e8635a836 |
| SHA512 | c686ed128171069460890b7f28a4e26ea2f63a62c1e4f6cde054a4e24dbdaa1c67145ef9606f0eb6484e377d47911f3ba14381ea2377edfc374c0d6663161d26 |