Malware Analysis Report

2024-10-16 05:09

Sample ID 240805-ty322s1hjr
Target rh111.exe
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
Tags
ammyyadmin flawedammyy bootkit discovery persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

Threat Level: Known bad

The file rh111.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy bootkit discovery persistence trojan

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 16:28

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 16:28

Reported

2024-08-05 16:29

Platform

win11-20240802-en

Max time kernel

39s

Max time network

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rh111.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A82946818BB0433A7DC1AFD2189B16AF C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A82946818BB0433A7DC1AFD2189B16AF C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 8e60660579eedc8eeb0d50b0bed2ec073c125c4f96e40ee1588cc2a3b89a773a7f17fd33ba3137db1ded0119bcae439c1ebaedb81b73cbc783a3dbef226164332581ad8f07b81fcd21e0d1 C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rh111.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rh111.exe

"C:\Users\Admin\AppData\Local\Temp\rh111.exe"

C:\Users\Admin\AppData\Local\Temp\rh111.exe

"C:\Users\Admin\AppData\Local\Temp\rh111.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\rh111.exe

"C:\Users\Admin\AppData\Local\Temp\rh111.exe"

C:\Windows\SYSTEM32\rundll32.exe

rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
GB 95.101.129.26:80 r11.o.lencr.org tcp
US 8.8.8.8:53 26.129.101.95.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 73f300a1043571094942afc17c77ccda
SHA1 3427fc48722a4988f507362d57bab34370601e73
SHA256 c3c97f5385931bf71ff6aa460b4a618acd60aa398922374fa94898951a66e6a7
SHA512 7d0d440866e6b9a5d4deabe9b62be1cad9b4cc43380483a1875c5d57da201efe47ce437fff369ed6903325d702c8a3ec7feca9b18f4b1aea7ba1a51ecbab2a46

C:\ProgramData\AMMYY\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\ProgramData\AMMYY\aa_nts.msg

MD5 76038623e270f399769df67a3ed15c16
SHA1 ebf7d7537f45738be48e6f64d59c846b13fb4334
SHA256 4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687
SHA512 a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec

memory/8-19-0x0000000064200000-0x00000000642EE000-memory.dmp