Analysis Overview
SHA256
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
Threat Level: Known bad
The file 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20 was found to be: Known bad.
Malicious Activity Summary
FlawedAmmyy RAT
Flawedammyy family
AmmyyAdmin payload
Ammyyadmin family
Checks computer location settings
Drops file in System32 directory
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 11:26
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 11:26
Reported
2024-11-27 11:29
Platform
win7-20240903-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
FlawedAmmyy RAT
Flawedammyy family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c1752536724ed09f71fb36b | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 340b4de3b348c3034c90cc06956b44fdb7119895a75d7f134a82f569c155d8016d8f9873c23fb78f130f2c274471ec007c0667e871b9f8d70ad16859577fa729682d82f528816788080eee | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 192a3c7bba65d245e8fea0cfb81bcaad |
| SHA1 | 1693465ee4965b376dc43234ff269a740ddd16a9 |
| SHA256 | f1284392c076d7190fc67b0bca65d563a2f307f0c7ee7b233091765d86f6068e |
| SHA512 | 22a2f2d1bcd950e43a46d993215792d0c422e42ddbd7d43ca13ed5b9499442a06a7a015be401e9105ad411591e9f81fc5ecf0c8647d5730bf06ed2c0d728e4e2 |
C:\ProgramData\AMMYY\hr3
| MD5 | 74b9c8554fd0926b7c4db1440aec74f1 |
| SHA1 | 6ca3dc9293d2fb5e9258ed1daba5516cd9f59433 |
| SHA256 | 09a6a0e00772a7b08faaf7f60c86b4efcf7513c02da7aa1bf4f86a45d34685e9 |
| SHA512 | 3c5231b7ce46f235e8ae1ac3751e264a0defd0b58d3aad78d0ccf4f448bdb51f0f76d11ef2c3cf66980492de190b0d00669a92cebc228e847d521a8ba1385553 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 11:26
Reported
2024-11-27 11:29
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
FlawedAmmyy RAT
Flawedammyy family
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752530be1b109f71fb36b | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = de870587090b88921cc6d109315a218f2632657ace360027a179d18824ed1df67250b97ce75d654abb4b46ca55d945c0931debff7e30955132993778c9fe61974c45f62dbeb7b6040175a8 | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe |
| PID 1100 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe |
| PID 1100 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe | C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | bca0c13ea65f53ab73787f5de968e77a |
| SHA1 | 76fecb28688bae3812b9237ed1138ad8e2cd79bf |
| SHA256 | fd5b901fd3523ffc83337e5833a2eb5773f2f49334421163228b95c8c9a8681b |
| SHA512 | ffee71e85a014596f10d3fed3e90f82be91ec3da7497d903153cab5d3b58ea08dbb49a60a3d2ad0729c0df2ed22f34631ef3725080f205f1a5a18801bbf500a4 |
C:\ProgramData\AMMYY\hr3
| MD5 | bef713c86fa26b471927b07ca52ae079 |
| SHA1 | 78ab1671e2c7d6b152269503d085afdae16a8d64 |
| SHA256 | ee839d5f6201a750a87bdf212e567d58e7d1022a32f8caaec8c2be7afe8abd4b |
| SHA512 | b483858ddb7f13387800b13c850fc0c92bb9a851b18df13a38ef365a78ffea9d249a08619ca60706a38eb213f7a5daf6cbd253fadaa4b9d612bfec9850b51daa |