Malware Analysis Report

2024-10-16 05:10

Sample ID 231226-tyd3xsbabm
Target 7ca5b68585b14145e79b800d7d1c6e57
SHA256 42b1ae153366264dc556bcf909ade649caeb796151458e1096a3087b1c956c7e
Tags
evasion trojan ammyyadmin flawedammyy
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42b1ae153366264dc556bcf909ade649caeb796151458e1096a3087b1c956c7e

Threat Level: Known bad

The file 7ca5b68585b14145e79b800d7d1c6e57 was found to be: Known bad.

Malicious Activity Summary

evasion trojan ammyyadmin flawedammyy

FlawedAmmyy RAT

Ammyyadmin family

AmmyyAdmin payload

Checks computer location settings

Checks whether UAC is enabled

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 16:27

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-26 16:27

Reported

2023-12-28 05:08

Platform

win7-20231215-en

Max time kernel

142s

Max time network

140s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\sainetco.ir.url

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\rundll32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb8000000000200000000001066000000010000200000006b7c39539fe8fa133c663d6ed151411f65bb7e8c4de6b5c94980b08b16908e2f000000000e8000000002000020000000625c6128130ab3008aa1427f0d39daef26d1690a484e2c3084d125c562a148762000000083191c4af3ebdb17c9268d28699d9849bcf5f3a2134b881781ec34a34b01eece4000000054d792440a09daf3d5861838bccf45f23863ed90a04abcb86555b115e13fdc6f74989ed23224657d3573a3b2cb204f028e2104d6609dee483ec47c85c377c3d3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50dd99b94b39da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb80000000002000000000010660000000100002000000073a6d29f7ba37171d81d52c81e2aa02cda01c0b55de3499cd02fabc3bb7415f3000000000e8000000002000020000000073ff6c9b3f5fa338dd1047ce0f03113282c5262ed6f00ffad3258cac1b5a1ad90000000dcb0ac3b4e00f222126778ad5807c1b9482284bb182543efddd5d33ae31eecc313fd1471e9a75ab25b32acb9682fa84b04c311a6a3100aebd17432a0440365d81e45255fa110ec5df377dc3035b6900159a2c5508a4f631e71348bc872511ad433235a6664cb14795330a6a4d381b217b658af1a83fa801a8e202762a06935f5edfd67d4e769b44d0bb08b5dd594589340000000f99c2f513597bef0fe6cfbaca075658d66b3b2eaac01bca4fe0851b8c96dfd4df59ebc34dc0cbed6f05757c7fc1e2ee28ed90e4c228f8c61445479938f351e08 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CB3D0FA1-A53E-11EE-B517-EED0D7A1BF98} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409901836" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\sainetco.ir.url

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1300 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.sainetco.ir udp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2444-0-0x00000000001C0000-0x00000000001D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3F06.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar416A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0a685620bace071d5cef95a199b567f
SHA1 e698ac23ba2e53512fc2857de9245918ef9fcac3
SHA256 c5b923cc6c7d79665d200aa1726137f17a5ce0ba9f1b8414ef35337894017e53
SHA512 2a60837ae099e9f6b76ca5ee1d7c6f54d14d8048160633779535ce70e2b9354f25fc6a32ca8da3780bb31a93cbe2b85a171e364ef87cf0b9eec4ab885fc5b5cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b91e37fdb76b0bafe8b232424ab5142
SHA1 036d0b29c8e77225bfc45416da4ec358dc5be0a1
SHA256 c6670735ce44635145c8554b8924a692ec992ef047f0f2272a7a3f87f19bfc88
SHA512 121c3ce17327495c019e9832b3e346fa53ae08c8e5223f54959e2a6119bacbeb2ebc3749f2927f6e87ec4ecbc9bdb22e3be48c7fb24e062509250d0aa1167280

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7de538efe3d6dcf83c8645a5255395d5
SHA1 670a774909a12482b28579bf6ad9460a0ddf6d40
SHA256 e1f500e957d5e113942cc5f8be2457625f9478dc2e6ab525051310cb23d6f645
SHA512 26ada39658a59d1bb08bcbac9e82fefcbd29a8312c74b66776ed74ce0272fd4919a604ca1746e21e69aed7d9e536c3d2d2dee9d45ea65853f93edf2376df804e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86d5a053bbd6b01123e5a5eceaa78c34
SHA1 6326c6cd5918adedd385b5cab9ab305b4afd7772
SHA256 0c5944c2cc3caaccc59835248c7b5ad80602d89c1cee5b8632ec0c6db661f9f1
SHA512 0e97dc7b769cca3c6d3c9ae6a863a86c3fc979fb97d774791746e38459320bc91e120fa34de8869c0dcb136fe604664982d0b91180f7f34207b79eaec165016b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 09543eedb3448fcc66853b5aeebffba1
SHA1 2d69a6647e6538e3a57ac08f874c90f1b5f2c40a
SHA256 bd275015a9ef38087a86b16192a1ba8d1315650ea6fd390875c7d4f52ed1b2e8
SHA512 d027ffed13da19cff6e43e1167762ccb8b8596c949d4f27d13f07ac8eeef1d7a32f733517d6f431709fa83b7546e02e01011789ff0044bcf8ceea1d652625d9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0ebdf39ac49060ffb4b8a268210be1d
SHA1 6034f1b14541cecf7a3a565677d0bf891cccc613
SHA256 456ee641aa420aa3cd13fb013ad6a7b24b3c976a9fefd2b84055922bb159a1ae
SHA512 9086fcb2a21056a5bd8bc01e3244614a7a62fb5278dccb420d72016e28781320d6b2feb395145d26377337a25d9813e5b2d85aa58e48a35d4aafbc2cd2f06fe1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a0b04073f4f5bdd5c8d2c1c28d5eecf
SHA1 157ea5e34a63312431f9ee2b2c1c6fb20f3ec852
SHA256 bfda557e8b6d27bbbba1bad0e0129d10d6ff2ef4a5d8d60e1a45700fb29cf16c
SHA512 5f5a6464931eb3dd6a994d1258f87318a94660443e2fbb884e34ca5d8b15e728cad412555398ae5b58f884895253f2202ee041605a274c11429433db1b8bb14a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55e82d25b3ac324a88c67bcda0a7dfa3
SHA1 1320fa58bc2da2b560e8419e69f5f8e9d02cbfba
SHA256 f7c2d0e988fcde12895f5793961eb42f7658767504bd145e6a98259eb3653d7d
SHA512 05992c5cd85016406f73873323c882367913bd0a588fd3c0955c45e10038dbdb73b6d009056916609656e1a4939d8b0e00c9c3b921012d6676318b098b9d4711

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4a66554ed0a98a83d50fab35a6839830
SHA1 8cfc83370575fe9793578b6e317463df65534c9d
SHA256 930530b3c5b03de2df6fcf60ee2169088ffafeabf74541c1b88bdc91fb41297f
SHA512 247bf4bf0d4fc17be6dc4de2b08372195ecdb7c4ee1a3f80a8a9dfd10de738a36680bc748ba3166327df76cefca3447da96e6e2a245d2e2ee53d4357e8e667f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed3228a7ed96208b1c356b1525d93be0
SHA1 ee74f5dfbaed1e0305aae7e3b05e1bc92a8dcba9
SHA256 4907b96fde551d6c2f9c6fba96c4b0fc3794740f5df7fd9712e5d0246c0b5c99
SHA512 0274c042384f542db14612c69a43ed39b40b0f4a3390b134dee3219ada04cd0d9e5860211f5ee919524f75c9b39661a84a21b38348843149459aa94df33012ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28bab68f877634de26d08fd80ad6ae2a
SHA1 f4e7f8fa32a015952beadf57c20bcf97217a1b0f
SHA256 f1033a4b5b6860111a5f9f99db5a85fdec13ef27779d5aa3990e96ba7a4afebc
SHA512 8fe0500c4d60793fe8e2e061c8d5715daf07941e9a0161a968c1ef9fe6dd4ab0636c4a03369193af9216b738a11d30638feaf5bd267aefefce5641a9d8516b4a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a504248d1b5fb9556c32c3d92227c89
SHA1 f430a6838c53ae3fcb9148acdde95a4c87fe5c5b
SHA256 b5411c937e1af1d6da299510141db3452058ab2162e4a14925ff6167d569f1ac
SHA512 578b1f9a454c780b96e08fadd62fe052b18d6e9fb4920f7c03e762ee0b2ac76d273daadd6986e009a063f2dc4c756d90c4475a4a414737cc753713c8a3c076d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea4764fa758c915b7eedc842d09e506b
SHA1 8a62580fd82b0ec973c6ad43435330bde239db41
SHA256 134d83af32366e102205af1239ff5d7b854a2fcc723121b2d06781bd2f74b668
SHA512 a82e0b0299597faaae303404434f0e66bc1cd630429817be1a55b1cc1b0e446149f51f50fb592e14cf675ee70c13a0c191bcc288fe72e2cb138ffb93ca266993

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ba17be9fd0b22d73aba3cb512bd9d45
SHA1 a8f829c4e479d0396e8a296658df776e8a46b9fa
SHA256 bea767db53e4d0bdcb9a07e91d2655c9668fb23c80c275925a69155f37dd2809
SHA512 fc53f0c4dbb39d0855262e4e064fd589c2240148ca53931440b694c3d7907c02d4c3b4a796dcdd01a850bd1fdf80c631c5ad71040cc301764ac429d21c255a8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02e57e1d7e19b7cd45da7669654d25e2
SHA1 81557ee5018d522942141a2e7fbbc6b6b0336cee
SHA256 b0dab8e99419ad5c87cc7d6d434c5c350da206c3c16a79592c2ef86c4b2ad007
SHA512 1dc41d219e877a18d07d100bf159666978a94616894bb72f2579fd3e86ba2c35883504ca4a888d8a0ac2aa717c92284956440a2ffe16acef024482654ddf9b09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df4fdad3e19b2c34e5902ff419339537
SHA1 be90c876132ef8963ce14b6cec2a9998d591acaa
SHA256 73b9b2f39b37b0f48ceb990f3e70870ef4392a991132d88b979c8f17309e7b5d
SHA512 bce481ae0ac38456ece10742ea2d6f4bebf2bb8df196d12936efe8703ea9401d9fc9095574c91de3a2728c3a21639247757109f9eb15dd558e8513f52a0eab70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f54ab4defc0dbd5cbb4695ce55ac2c9b
SHA1 eb968cf84d3a0daa62ef50fb9822981d2a526d53
SHA256 e74e76c7b8008bba2fc25e58ffe0be95ce25a6c823e6db28b0f9585c502cd7fc
SHA512 613d12a8b3e94c1c02d6b1b3753210c1e60cc281c296d2aec7f1e71e21885f1c6e5d00920804bd3e168b8ac970e6ef02543c5c4129bfa435bf185e954606b0f1

Analysis: behavioral4

Detonation Overview

Submitted

2023-12-26 16:27

Reported

2023-12-28 05:06

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

159s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\sainetco.ir.url

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 4640 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1032 wrote to memory of 4640 N/A C:\Windows\System32\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 4900 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 1404 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4640 wrote to memory of 3368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL C:\Users\Admin\AppData\Local\Temp\sainetco.ir.url

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.sainetco.ir/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbe7d546f8,0x7ffbe7d54708,0x7ffbe7d54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8141186699014929545,6312232356152559886,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 www.sainetco.ir udp
US 8.8.8.8:53 23.242.123.52.in-addr.arpa udp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.sainetco.ir udp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
DE 46.4.96.88:80 www.sainetco.ir tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 efc9c7501d0a6db520763baad1e05ce8
SHA1 60b5e190124b54ff7234bb2e36071d9c8db8545f
SHA256 7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a
SHA512 bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

\??\pipe\LOCAL\crashpad_4640_MAQEGLZAXOZYXQLM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c66512a147b69a6c02e9754bc6e3eccd
SHA1 66dd032547f4c2ff6a089f4c0e9dd4164a34e630
SHA256 2f542e382aa1a99f2210954bbe28a6d5a79e0422c73df786846a9246bd37a493
SHA512 adc60309cf640d71fa2a19e17a8cc698a7a2ee75e25ae39ab46209c13cc87d1002dc2bbe833fb29ab5c0ae664c23720f7feb946b1ae582595da7d19636357116

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7c977ed2b7f8ebe945ff4531208707de
SHA1 858a46436e9f343525c21f116653d6527ba6c194
SHA256 3a66aa23a1376722a4e52338ffc7ca1599d13ce0e01e2c32894c2bcee73c2a88
SHA512 448bfba170a6521bd7edbe672eaf5d47bf583bb5b81d0213b2a6f94be20580a1c09ee5dbd3ab092754db15e2cef22ecf42d2ce1f03fd4102dcf9d6753f992705

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dd3f72a7b86adf3698ccb461a132d5f0
SHA1 2c16f8da12e8be95cf91d0b7a957906c303ad2cd
SHA256 2a4e6efecc666e31b06b41a7b3a644714e0c3c04b66d37b4a06d25a19e8280ba
SHA512 f5e4638b7161508f0b11000ec5f3a7f2a2d5629938a0d908c62a4eed7593cd22aac197cc93b9a07a20d5b152ed2440803a02b99ac0b1110efeb1d82d9292c26c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 121510c1483c9de9fdb590c20526ec0a
SHA1 96443a812fe4d3c522cfdbc9c95155e11939f4e2
SHA256 cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c
SHA512 b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 826105815b5f4d9715f75b75d9b63a88
SHA1 8eed6846a09cbc4a2fa4e5b2c830b9b62674d21e
SHA256 acf31d56c8387948b179eb4d7f38d8045941802cf79eefb96201c5475abfb808
SHA512 fad3ef56d4ba426462c158f56aabbb32fd98b7b7d96a64a9e07d9b7cdb911562aaa6088f3c5b6184f4eca4727c5c822af61b792f16c8b65133cc10d211efb12e

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 16:27

Reported

2023-12-28 05:08

Platform

win7-20231215-en

Max time kernel

25s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953e7de0ab60366b26b C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 90984e5323a2a1441a2ad981401e8eda461968b904bdea336851a5c0676b69db486b48381b476d0bb14287a7707c27f1188a3c6bda3267a91b98cc7b8983e06f81d78c2c C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe" -service -lunch

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 16:27

Reported

2023-12-28 05:08

Platform

win10v2004-20231215-en

Max time kernel

1s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 204.79.197.200:443 tcp
NL 52.142.223.178:80 tcp
GB 96.17.178.174:80 tcp
US 20.242.39.171:443 tcp
GB 96.16.110.41:443 tcp
GB 88.221.135.217:80 tcp
GB 96.16.110.114:80 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr3

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\AMMYY\hr

MD5 21de687dec42b1fb541bddcb4bb766ed
SHA1 6d5609b483e263ce0181b621d6c89589727069c2
SHA256 57a2cf35bdec6b76d52ed9e62498789a7c824cfe8edfdb3cff960996e09c91d5
SHA512 7ce0ce78bcecbb8a793917d18ac52269ba56f015b05aaa4ed9643a74d5c7ab488b8671e75279f185ff5b7427a48087261e339257352bc93cda393f2429e72e16