Analysis Overview
SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
Threat Level: Known bad
The file rh111.exe was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Drops file in System32 directory
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 16:28
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 16:28
Reported
2024-08-05 16:29
Platform
win11-20240802-en
Max time kernel
39s
Max time network
40s
Command Line
Signatures
FlawedAmmyy RAT
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A82946818BB0433A7DC1AFD2189B16AF | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A82946818BB0433A7DC1AFD2189B16AF | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 8e60660579eedc8eeb0d50b0bed2ec073c125c4f96e40ee1588cc2a3b89a773a7f17fd33ba3137db1ded0119bcae439c1ebaedb81b73cbc783a3dbef226164332581ad8f07b81fcd21e0d1 | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 468 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | C:\Users\Admin\AppData\Local\Temp\rh111.exe |
| PID 468 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | C:\Users\Admin\AppData\Local\Temp\rh111.exe |
| PID 468 wrote to memory of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | C:\Users\Admin\AppData\Local\Temp\rh111.exe |
| PID 4664 wrote to memory of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | C:\Windows\SYSTEM32\rundll32.exe |
| PID 4664 wrote to memory of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\rh111.exe | C:\Windows\SYSTEM32\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\rh111.exe
"C:\Users\Admin\AppData\Local\Temp\rh111.exe"
C:\Users\Admin\AppData\Local\Temp\rh111.exe
"C:\Users\Admin\AppData\Local\Temp\rh111.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\rh111.exe
"C:\Users\Admin\AppData\Local\Temp\rh111.exe"
C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ammyy.com | udp |
| DE | 136.243.18.118:80 | www.ammyy.com | tcp |
| DE | 136.243.18.118:443 | www.ammyy.com | tcp |
| US | 8.8.8.8:53 | 118.18.243.136.in-addr.arpa | udp |
| GB | 95.101.129.26:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 26.129.101.95.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 73f300a1043571094942afc17c77ccda |
| SHA1 | 3427fc48722a4988f507362d57bab34370601e73 |
| SHA256 | c3c97f5385931bf71ff6aa460b4a618acd60aa398922374fa94898951a66e6a7 |
| SHA512 | 7d0d440866e6b9a5d4deabe9b62be1cad9b4cc43380483a1875c5d57da201efe47ce437fff369ed6903325d702c8a3ec7feca9b18f4b1aea7ba1a51ecbab2a46 |
C:\ProgramData\AMMYY\aa_nts.dll
| MD5 | 480a66902e6e7cdafaa6711e8697ff8c |
| SHA1 | 6ac730962e7c1dba9e2ecc5733a506544f3c8d11 |
| SHA256 | 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5 |
| SHA512 | 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5 |
C:\ProgramData\AMMYY\aa_nts.msg
| MD5 | 76038623e270f399769df67a3ed15c16 |
| SHA1 | ebf7d7537f45738be48e6f64d59c846b13fb4334 |
| SHA256 | 4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687 |
| SHA512 | a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec |
memory/8-19-0x0000000064200000-0x00000000642EE000-memory.dmp