Analysis Overview
SHA256
fc88110016788b8ee65c2c29c6e9fe77132719c0c4d5e0a9a4e2f97bc5f2c0f2
Threat Level: Known bad
The file f4d11e1d59d067e850a910d0100fa0f0N.exe was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 17:05
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 17:05
Reported
2024-08-04 17:07
Platform
win7-20240729-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
FlawedAmmyy RAT
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 756 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe |
| PID 756 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe |
| PID 756 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe |
| PID 756 wrote to memory of 1340 | N/A | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"
Network
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 1aac7af5fbaf2605446a73cdd2b760f3 |
| SHA1 | e6951d61057eaeafb6a45ee4d0f12671da429669 |
| SHA256 | ffa108caefd070fd6a4afc9a30eeb754a671df5a2e7b0285fc511a2ce824ba1e |
| SHA512 | f83414633a3032dc6929f0c5dee1cd7c2f5a9c32f5669eaed8788cc7cee5ab25aeb18d366d21f09544beaedcb8ab26690dc6dd2904a42ec15608c79401c77e19 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 17:05
Reported
2024-08-04 17:07
Platform
win10v2004-20240802-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
FlawedAmmyy RAT
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2052 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe |
| PID 2052 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe |
| PID 2052 wrote to memory of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe | C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 1aac7af5fbaf2605446a73cdd2b760f3 |
| SHA1 | e6951d61057eaeafb6a45ee4d0f12671da429669 |
| SHA256 | ffa108caefd070fd6a4afc9a30eeb754a671df5a2e7b0285fc511a2ce824ba1e |
| SHA512 | f83414633a3032dc6929f0c5dee1cd7c2f5a9c32f5669eaed8788cc7cee5ab25aeb18d366d21f09544beaedcb8ab26690dc6dd2904a42ec15608c79401c77e19 |