Malware Analysis Report

2024-10-24 20:53

Sample ID 241016-xmgw8aweqa
Target SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe
SHA256 0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7
Tags
flawedammyy bootkit discovery persistence trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7

Threat Level: Known bad

The file SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe was found to be: Known bad.

Malicious Activity Summary

flawedammyy bootkit discovery persistence trojan ammyyadmin

FlawedAmmyy RAT

AmmyyAdmin payload

Ammyyadmin family

Checks computer location settings

Writes to the Master Boot Record (MBR)

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:58

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:58

Reported

2024-10-16 19:00

Platform

win7-20240729-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14195028560b88921c5a73b7fdb1b746a71aa22580b56457d4a4021c3c0cc3ea72c5930f1569906678d3eafea8b40d22865da228418efd31c71772fedeeecb5a892a701c4087bf13075fcf97 C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.a4on.tv udp
RU 95.213.191.237:80 rl.a4on.tv tcp
RU 95.213.191.237:88 rl.a4on.tv tcp

Files

C:\Users\Admin\AppData\Local\Temp\settings3.bin

MD5 fa108fd2579e967db8eded26a0426ba5
SHA1 1716f9668de7374188dacdd88a1381e056fc4ff2
SHA256 7e3046ca68b8b9491a5c359b4f05e201feb41f7a1a215ec06213fde09547a150
SHA512 d30664abca10fb84301358d3422f3cd6ab9549394032d8809902f72114cb42575713b75c2e23128203a5260d47a3027ca15d6ea5d17467696d9b52f60d736ba3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:58

Reported

2024-10-16 19:00

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 81c06a5a5ae039e9b697abf3c2eec799d73ed17065fcc8d28ec8fdb9c7abdc0ad1854ea60bee69c6c976c6a9527eb73f782061ee4f4f5fee9cfc9f8cc1d5574f766631824ba0298365963ba3 C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 rl.a4on.tv udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 95.213.191.237:80 rl.a4on.tv tcp
RU 95.213.191.237:88 rl.a4on.tv tcp
US 8.8.8.8:53 237.191.213.95.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\settings3.bin

MD5 f9a05c208da9a8962cd529669006a57f
SHA1 36f4dd24036f29a1e53b731632b2ff229e8df59c
SHA256 72ab96fe49415438e1eebc523c2f99b912681768eb18a992efe8dfcc99e7d6fe
SHA512 9b8c34a05c8ec03b82fc432656ec44d5b472135d4f4dabdf151b0e860d3ddfb62fb7b3d30ebf841ce1349af201f7ba34edcf6574805da8433b9d7a9346214fd7