Analysis Overview
SHA256
847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
Threat Level: Known bad
The file 18966a28fba7a616962f90694009a466 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
FlawedAmmyy RAT
Ammyyadmin family
Checks computer location settings
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-25 10:52
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 10:52
Reported
2023-12-26 01:29
Platform
win7-20231215-en
Max time kernel
202s
Max time network
194s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f7f3329ed268b26b | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 98759ccc60c6cc06fcfc29a10cb8a6dbd45313635e473691bc69e310158a5d89b13bfc3059ad71ffff80888f37e73d04f3b73ee66b8644f05851b1388d8e3a1ebc3668a4 | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2836 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 2836 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 2836 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 2836 wrote to memory of 2856 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 0ab37e79601368085b4631f7a9c5597f |
| SHA1 | 7144ec339f1a518775a4719f3c1b5b2572775c1f |
| SHA256 | 142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565 |
| SHA512 | 7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55 |
C:\ProgramData\AMMYY\hr
| MD5 | ae06f6f2545b1c4d548a37e36b5ccb0c |
| SHA1 | d5195097cdaf1ff224ec5584f97d0657ab391269 |
| SHA256 | b3a38a0c13ff1d52e7414b3ffa50895af546f19b525c120a197bad0bef91c09e |
| SHA512 | b3158d219e76a5e0395560b2e66da13485c320024fb14268ca7bafe40e3134a2d20f3c03e75f95cbfa58433c558015585d3d803e91dbfa2a4a26f93a7922ab5b |
C:\ProgramData\AMMYY\hr3
| MD5 | bba80532b1280b56fcfe8ca650fd425f |
| SHA1 | 3a11351cfc56f596cf9ff24f18014013057d5df4 |
| SHA256 | 0479d7e8c2de5741c1c8cc6634c43946c2ccf6cb8b36a1cc4c4dc60edef8dd39 |
| SHA512 | 80c6293520c5023d5fec7e74152cb37992e31b67772a1d4df96b1f51fcfc904f8ac88d7c15f53daf48b01c844a044202216278f2e389876ef0173691b9b5da27 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 10:52
Reported
2023-12-26 01:28
Platform
win10v2004-20231215-en
Max time kernel
185s
Max time network
198s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552537021ffb8d268b26b | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b3c23cc51b421695674ac80a960415f2e42febdc3cd30d2b196fef60b391126eb5750a677864ce8f6fea7a6849bc0a22faa60d43db5d897428269ca67c36f4695445c5dc | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 716 wrote to memory of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 716 wrote to memory of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
| PID 716 wrote to memory of 4516 | N/A | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe | C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 0ab37e79601368085b4631f7a9c5597f |
| SHA1 | 7144ec339f1a518775a4719f3c1b5b2572775c1f |
| SHA256 | 142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565 |
| SHA512 | 7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55 |
C:\ProgramData\AMMYY\hr
| MD5 | ff481a88f7d2b1517ada54ed48103c2a |
| SHA1 | 8b0c8efac9b299952b1ea734a2de5a9780b1e932 |
| SHA256 | 8e208f0b4fa3e33e568cca185f9aa37435beb188400ded747d32a21fc2e29b5c |
| SHA512 | a339f1ac4d6fa6bc6bb9b8198b4a2b6336452be83d2c79edd2d9bbd01717a25b14882f7084e857b08c6229f7ce298c318d3630a5e690226ca4dd1babc3a455ef |
C:\ProgramData\AMMYY\hr3
| MD5 | 30a3c0cfccca6d7f3b81811d7bcbdeb8 |
| SHA1 | 3eb32684624b111eb08e57c4bae0614ec1614f75 |
| SHA256 | 942a815d457c8fd527c9138f7e80c8844f0711f1d09a645391c208f23efaa2e6 |
| SHA512 | 494a398283527391339a82485cb6d63bcc17a391fd43b78472a7dfd6fb288c5f716498d0d76541352111f8f852f56dfcc2b91693600835db8f5d5209ead0edce |