Malware Analysis Report

2024-10-16 05:10

Sample ID 231224-27ve9scea5
Target 18966a28fba7a616962f90694009a466
SHA256 847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

Threat Level: Known bad

The file 18966a28fba7a616962f90694009a466 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-24 23:13

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-24 23:13

Reported

2023-12-26 03:21

Platform

win7-20231215-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953c79e850fe268b26b C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 0708e9edba844bcfdb446a39a122f52cba8169043a817ac60a3bd4b1f7a685f0f4cbb80f885231b268503a37150313c30b66dcb47971cbc783fd9954774ee28ce779cf68 C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 0ab37e79601368085b4631f7a9c5597f
SHA1 7144ec339f1a518775a4719f3c1b5b2572775c1f
SHA256 142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565
SHA512 7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

C:\ProgramData\AMMYY\hr

MD5 a1bbe8de5b26474bae5b00bc35ebfead
SHA1 e7ded2486fbfbc7825b25b7f1e3f6fc5f5d7525b
SHA256 aa5580d4fad6ccc7902f4ed6f71f41468f11d9c798de6ba4f31796cc23646f72
SHA512 ab71c8216cd7f410a91e1c76a5e91640f658639f13deb703099804f8aaa661c40dd22be3cb413a533d9934d405590cf6dd3ff127fb85e6f10cc4e06aead5c21c

C:\ProgramData\AMMYY\hr3

MD5 383fd9d7b9f1cd08006889911228040b
SHA1 dc2bbded0248d8965316d8141cac3495c2d84268
SHA256 1d614a88e7df62cb9b37c0c359a372fecbae500f1296f5af4fb80f5730635d0d
SHA512 dda4f53226eb34a8c0a6184983aec18df333e26c99235807d3762a047755312d0d5cff23cae3471940c4975641df0adc3bf37e8351295a3bc3c251c3efc77ab5

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-24 23:13

Reported

2023-12-26 03:21

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552532bd9a10be268b26b C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = c2da8fc5fcc2c9166331042e917aeeac8b6bab19551b51d4cd11b7bd85277818671584d8cb572c360db3bbe896dded56e5dc03169642f765b6bcb6b045410744a648afcc C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 0ab37e79601368085b4631f7a9c5597f
SHA1 7144ec339f1a518775a4719f3c1b5b2572775c1f
SHA256 142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565
SHA512 7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

C:\ProgramData\AMMYY\hr

MD5 74815f2583a01dd553c3069e2c9ca16b
SHA1 efe5917d4beae084419d0af0e2c92c82ac20b13b
SHA256 9af3723ecc9e7a954c973201a0f056029d62b8318f27ed4eaa10966da354603b
SHA512 40d56c7fcd9c1eaf3c228df9b79a83fb6a5a8e066f48a3c3c11e71f496d32b6f8fc08f9c25e36439c93d891b17911d9cba67e52d1d4d81da0533aa0260fa235d

C:\ProgramData\AMMYY\hr3

MD5 93c105c12c965d01a26c9e0cbd3b2727
SHA1 42f714404d61e52eed232f510efa4474bb13961a
SHA256 87da020507295b9fa549be759a57d911ba56385451452cdf62b42f2e8635a836
SHA512 c686ed128171069460890b7f28a4e26ea2f63a62c1e4f6cde054a4e24dbdaa1c67145ef9606f0eb6484e377d47911f3ba14381ea2377edfc374c0d6663161d26