Malware Analysis Report

2024-10-16 05:08

Sample ID 240913-r38rzsthjl
Target AA_v3.exe
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
Tags
flawedammyy bootkit discovery persistence trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

Threat Level: Known bad

The file AA_v3.exe was found to be: Known bad.

Malicious Activity Summary

flawedammyy bootkit discovery persistence trojan ammyyadmin

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Loads dropped DLL

Checks computer location settings

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-13 14:44

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 14:44

Reported

2024-09-13 14:44

Platform

win7-20240903-en

Max time kernel

13s

Max time network

9s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A82946818BB0433A7DC1AFD2189B16AF C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A82946818BB0433A7DC1AFD2189B16AF C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DAC19DB6-26F7-4B6F-AFA3-F62EBEE73BC8}\ca-f9-26-7f-9d-2f C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 07048d4c5aa6c743033abd473880ab32c1347572250285fa86bc646eeeb589946a0a53550aed4456baebf248dedf1bf370a73e69da7d46449ef9670c8db9e1dade90c2bea5f57a17efc285 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0169000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DAC19DB6-26F7-4B6F-AFA3-F62EBEE73BC8} C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DAC19DB6-26F7-4B6F-AFA3-F62EBEE73BC8}\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f9-26-7f-9d-2f\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f9-26-7f-9d-2f\WpadDecisionReason = "1" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DAC19DB6-26F7-4B6F-AFA3-F62EBEE73BC8}\WpadDecisionTime = 603cc773eb05db01 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DAC19DB6-26F7-4B6F-AFA3-F62EBEE73BC8}\WpadDecision = "0" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f9-26-7f-9d-2f\WpadDecisionTime = 603cc773eb05db01 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DAC19DB6-26F7-4B6F-AFA3-F62EBEE73BC8}\WpadNetworkName = "Network 3" C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-f9-26-7f-9d-2f C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 173.222.211.9:80 r11.o.lencr.org tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 307b8fa94d4e05bcefb9eaf530052d86
SHA1 1b35b3598b1f8ed7148893d2eb6a3ba416b113dc
SHA256 685190b35d6bf2b364732ed77191b0ac0a8d440ee7d9afdda20c48d6423cacb1
SHA512 d19c516d745634b72132264d4924473292b0ea75c67dd77d0079e1eb7a41ff2bf567c5c69787cc5b3d55e2059319748edf56393b989105aba24dbaa9c2ecb81d

C:\ProgramData\AMMYY\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\ProgramData\AMMYY\aa_nts.msg

MD5 76038623e270f399769df67a3ed15c16
SHA1 ebf7d7537f45738be48e6f64d59c846b13fb4334
SHA256 4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687
SHA512 a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-13 14:44

Reported

2024-09-13 14:47

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
PID 3428 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
PID 3428 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 466a14a6611a0b9563804e51ff64ed2a
SHA1 eb70ba77053cfe295c43831a57dd4cc8f6bbea61
SHA256 a0fb74d438d661be8d1ab0d53d2184fad196e46602754c6791137e78e7757d69
SHA512 c53d3aded350a4f39f4d12bb549e31f679c46e102d2e12dbcda0c99a8c4b3e423ee33a00106318a5837861d553f5779a564e64c3105ff6c131c2cfb05cf65f0d