Malware Analysis Report

2024-10-16 05:10

Sample ID 231225-mycrjahael
Target 18966a28fba7a616962f90694009a466
SHA256 847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

Threat Level: Known bad

The file 18966a28fba7a616962f90694009a466 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

AmmyyAdmin payload

FlawedAmmyy RAT

Ammyyadmin family

Checks computer location settings

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-25 10:52

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 10:52

Reported

2023-12-26 01:29

Platform

win7-20231215-en

Max time kernel

202s

Max time network

194s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f7f3329ed268b26b C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 98759ccc60c6cc06fcfc29a10cb8a6dbd45313635e473691bc69e310158a5d89b13bfc3059ad71ffff80888f37e73d04f3b73ee66b8644f05851b1388d8e3a1ebc3668a4 C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 0ab37e79601368085b4631f7a9c5597f
SHA1 7144ec339f1a518775a4719f3c1b5b2572775c1f
SHA256 142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565
SHA512 7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

C:\ProgramData\AMMYY\hr

MD5 ae06f6f2545b1c4d548a37e36b5ccb0c
SHA1 d5195097cdaf1ff224ec5584f97d0657ab391269
SHA256 b3a38a0c13ff1d52e7414b3ffa50895af546f19b525c120a197bad0bef91c09e
SHA512 b3158d219e76a5e0395560b2e66da13485c320024fb14268ca7bafe40e3134a2d20f3c03e75f95cbfa58433c558015585d3d803e91dbfa2a4a26f93a7922ab5b

C:\ProgramData\AMMYY\hr3

MD5 bba80532b1280b56fcfe8ca650fd425f
SHA1 3a11351cfc56f596cf9ff24f18014013057d5df4
SHA256 0479d7e8c2de5741c1c8cc6634c43946c2ccf6cb8b36a1cc4c4dc60edef8dd39
SHA512 80c6293520c5023d5fec7e74152cb37992e31b67772a1d4df96b1f51fcfc904f8ac88d7c15f53daf48b01c844a044202216278f2e389876ef0173691b9b5da27

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 10:52

Reported

2023-12-26 01:28

Platform

win10v2004-20231215-en

Max time kernel

185s

Max time network

198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552537021ffb8d268b26b C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b3c23cc51b421695674ac80a960415f2e42febdc3cd30d2b196fef60b391126eb5750a677864ce8f6fea7a6849bc0a22faa60d43db5d897428269ca67c36f4695445c5dc C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe

"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 0ab37e79601368085b4631f7a9c5597f
SHA1 7144ec339f1a518775a4719f3c1b5b2572775c1f
SHA256 142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565
SHA512 7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

C:\ProgramData\AMMYY\hr

MD5 ff481a88f7d2b1517ada54ed48103c2a
SHA1 8b0c8efac9b299952b1ea734a2de5a9780b1e932
SHA256 8e208f0b4fa3e33e568cca185f9aa37435beb188400ded747d32a21fc2e29b5c
SHA512 a339f1ac4d6fa6bc6bb9b8198b4a2b6336452be83d2c79edd2d9bbd01717a25b14882f7084e857b08c6229f7ce298c318d3630a5e690226ca4dd1babc3a455ef

C:\ProgramData\AMMYY\hr3

MD5 30a3c0cfccca6d7f3b81811d7bcbdeb8
SHA1 3eb32684624b111eb08e57c4bae0614ec1614f75
SHA256 942a815d457c8fd527c9138f7e80c8844f0711f1d09a645391c208f23efaa2e6
SHA512 494a398283527391339a82485cb6d63bcc17a391fd43b78472a7dfd6fb288c5f716498d0d76541352111f8f852f56dfcc2b91693600835db8f5d5209ead0edce