ammyyadmin | 34ee9da62967a53c3bf97f9301aa9353a3b42e5bd40c3122b929e50e08d146c5

General

Target

fcc84b2913606db9ed575affe65591ae.exe
Size

322KB
MD5

fcc84b2913606db9ed575affe65591ae
SHA1

a6b6c3e28d245df70c307c354eab877e5fb8efd2
SHA256

34ee9da62967a53c3bf97f9301aa9353a3b42e5bd40c3122b929e50e08d146c5
SHA512

5e6f9b0040acea1dce8463bd30eb7905de215fd378d112a4d50dd80303539c38e1f516b7512297c215ae77050445785f994a96b7c8ea94a075ea340229b7e0c7
SSDEEP

6144:MtU6T/wE1MFGonDrJU2kY1b94hsmjVTPdgBGE7YpqTFIVo+AxU36WDbl3:aU+/wEKAonDrFyhtTR+YQTL+Axg

Score

10^/10

ammyyadmin flawedammyy rat trojan upx

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 4 IoCs

resource	yara_rule
behavioral1/memory/2988-4-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin
behavioral1/memory/2988-9-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin
behavioral1/memory/2040-8-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin
behavioral1/memory/1068-15-0x0000000000400000-0x00000000004BE000-memory.dmp	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\International\Geo\Nation	fcc84b2913606db9ed575affe65591ae.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2988-0-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2988-4-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2988-9-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2040-8-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/1068-6-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/2040-5-0x0000000000400000-0x00000000004BE000-memory.dmp	upx
behavioral1/memory/1068-15-0x0000000000400000-0x00000000004BE000-memory.dmp	upx

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	fcc84b2913606db9ed575affe65591ae.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953e7cb80811361b26b	fcc84b2913606db9ed575affe65591ae.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 902565f38cc887739c71fe0165d7670e35cb5817610574df099ff4d56f33f44f6103597d9c1e7051648ef959f31957fc82072ef201bf8a57a03c78bf605ceee0be791d7d	fcc84b2913606db9ed575affe65591ae.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	fcc84b2913606db9ed575affe65591ae.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	fcc84b2913606db9ed575affe65591ae.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	fcc84b2913606db9ed575affe65591ae.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1068	fcc84b2913606db9ed575affe65591ae.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1068	fcc84b2913606db9ed575affe65591ae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1068	2040	fcc84b2913606db9ed575affe65591ae.exe	28
PID 2040 wrote to memory of 1068	2040	fcc84b2913606db9ed575affe65591ae.exe	28
PID 2040 wrote to memory of 1068	2040	fcc84b2913606db9ed575affe65591ae.exe	28
PID 2040 wrote to memory of 1068	2040	fcc84b2913606db9ed575affe65591ae.exe	28

C:\Users\Admin\AppData\Local\Temp\fcc84b2913606db9ed575affe65591ae.exe
"C:\Users\Admin\AppData\Local\Temp\fcc84b2913606db9ed575affe65591ae.exe"
1⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\fcc84b2913606db9ed575affe65591ae.exe
"C:\Users\Admin\AppData\Local\Temp\fcc84b2913606db9ed575affe65591ae.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\fcc84b2913606db9ed575affe65591ae.exe
  "C:\Users\Admin\AppData\Local\Temp\fcc84b2913606db9ed575affe65591ae.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
1c96a8fc7e0fcb60d5bd5dd426fbb51d

SHA1
94b6ef2dc0e1d56801ab061232cf20f4dd7af33a

SHA256
1b45ce3da9a920935c991e7a78054c43193a4a589840f8c011c0ce012e8eb9dc

SHA512
783844df8ad71eb0b7d81e911ca7d7f7d08ef7c6d1e738211edf8c817b242ec8e39b20b0aa91e64543eb00262b1af5b5c8e81edb9b854f7d1df5609319f7bc3a

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
7f6f3c24e2d8b01e8edb0d88b2d9f757

SHA1
13da47891ae10550bb871fe6216c0235dc14b379

SHA256
b9f5b0501baeb82fae4aab8d9ff6a404196540902ed28fd80b605108738be7f7

SHA512
f88ff355766ad8a5eddaa60a8419ecf333d6b608c0ccfb1dbf5b6e937ca0c2b3daf38744cc18292885a2766a6f924ec726f033a8587929d6833374b84e1dc877

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit
memory/1068-6-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1068-15-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2040-8-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2040-5-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2988-0-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2988-4-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2988-9-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing