ammyyadmin | 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0

General

Target

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Size

755KB
MD5

206a9c8f94cc386e8828a667e1b57950
SHA1

3c9731cd31ec8b75962502aaa042bb1f8e51ed2e
SHA256

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0
SHA512

5172219a65f6e8dbbadf9c833e3aebe498c6b2ed3b90f419b051f6ad47f0ab40a4b67681759caa531669cb774f34cfee993a660e65576233f1db01f3b11b4766
SSDEEP

12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Score

10^/10

ammyyadmin flawedammyy discovery rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4520-0-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin
behavioral2/memory/4816-5-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin
behavioral2/memory/4520-6-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin
behavioral2/memory/4224-11-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 9a70a0f3d48e2e524f2986fc048987b68dc2e7b630aaa79449b04fd707c4b4a3baec3a19b11cb00a14bee202b13b4df44df4bd4e8c6587b54418e85e7465812e1e33ccba7f98249055c769	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253f0b38c440b72b36b	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

pid process

4224 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

pid process

4224 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

pid	process
4224	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

pid	process
4224	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

description	pid	process	target process
PID 4816 wrote to memory of 4224	4816	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
PID 4816 wrote to memory of 4224	4816	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
PID 4816 wrote to memory of 4224	4816	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4520

C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
e046982e83dd140e1f7669cfb59ed2fe

SHA1
7935fc3baafb78b39895b32feb70ba0cf78ce774

SHA256
1cb432fed4972dd838cea08143490afe5fae16bc734ce1d89cca214b2351afec

SHA512
81ae73a5b16f3dc2e52102f99c96a4b0e499fa395f41acb295633c7925a62e38fa586b90017dc936186244efefa4e5667f7996572ea002bb0ebd6dab9bd0c94e

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
962fccbdcd77662d0aa4b8209704ccf4

SHA1
abc4ee26cf29b29c9f66c7ab28db731ba24a7ab0

SHA256
4ba18f60ac8dbc21f56d981f50bb0c7bca38185352443a0980eb6c042f716220

SHA512
32ef4dfc979d07dce9fec381f2fd06a5699d7388686d2657d26ea9744dbf997eb5fbceab028cb13b8e2c5a82f7f951033f36970ca2b3d05cd2d4b06aeb21cc57

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit
memory/4224-11-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/4520-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/4520-6-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/4816-5-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads