Analysis Overview
SHA256
0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7
Threat Level: Known bad
The file SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe was found to be: Known bad.
Malicious Activity Summary
FlawedAmmyy RAT
AmmyyAdmin payload
Ammyyadmin family
Checks computer location settings
Writes to the Master Boot Record (MBR)
System Location Discovery: System Language Discovery
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-16 18:58
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 18:58
Reported
2024-10-16 19:00
Platform
win7-20240729-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 14195028560b88921c5a73b7fdb1b746a71aa22580b56457d4a4021c3c0cc3ea72c5930f1569906678d3eafea8b40d22865da228418efd31c71772fedeeecb5a892a701c4087bf13075fcf97 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1908 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe |
| PID 1908 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe |
| PID 1908 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe |
| PID 1908 wrote to memory of 2952 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.a4on.tv | udp |
| RU | 95.213.191.237:80 | rl.a4on.tv | tcp |
| RU | 95.213.191.237:88 | rl.a4on.tv | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\settings3.bin
| MD5 | fa108fd2579e967db8eded26a0426ba5 |
| SHA1 | 1716f9668de7374188dacdd88a1381e056fc4ff2 |
| SHA256 | 7e3046ca68b8b9491a5c359b4f05e201feb41f7a1a215ec06213fde09547a150 |
| SHA512 | d30664abca10fb84301358d3422f3cd6ab9549394032d8809902f72114cb42575713b75c2e23128203a5260d47a3027ca15d6ea5d17467696d9b52f60d736ba3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-16 18:58
Reported
2024-10-16 19:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 81c06a5a5ae039e9b697abf3c2eec799d73ed17065fcc8d28ec8fdb9c7abdc0ad1854ea60bee69c6c976c6a9527eb73f782061ee4f4f5fee9cfc9f8cc1d5574f766631824ba0298365963ba3 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1888 wrote to memory of 4376 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe |
| PID 1888 wrote to memory of 4376 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe |
| PID 1888 wrote to memory of 4376 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.RemoteAdmin.904.16436.20637.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.a4on.tv | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| RU | 95.213.191.237:80 | rl.a4on.tv | tcp |
| RU | 95.213.191.237:88 | rl.a4on.tv | tcp |
| US | 8.8.8.8:53 | 237.191.213.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\settings3.bin
| MD5 | f9a05c208da9a8962cd529669006a57f |
| SHA1 | 36f4dd24036f29a1e53b731632b2ff229e8df59c |
| SHA256 | 72ab96fe49415438e1eebc523c2f99b912681768eb18a992efe8dfcc99e7d6fe |
| SHA512 | 9b8c34a05c8ec03b82fc432656ec44d5b472135d4f4dabdf151b0e860d3ddfb62fb7b3d30ebf841ce1349af201f7ba34edcf6574805da8433b9d7a9346214fd7 |