Malware Analysis Report

2025-01-23 12:18

Sample ID 241127-nj5dns1pgt
Target 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
SHA256 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
Tags
ammyyadmin flawedammyy discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

Threat Level: Known bad

The file 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy discovery trojan

FlawedAmmyy RAT

Flawedammyy family

AmmyyAdmin payload

Ammyyadmin family

Checks computer location settings

Drops file in System32 directory

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 11:26

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 11:26

Reported

2024-11-27 11:29

Platform

win7-20240903-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c1752536724ed09f71fb36b C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 340b4de3b348c3034c90cc06956b44fdb7119895a75d7f134a82f569c155d8016d8f9873c23fb78f130f2c274471ec007c0667e871b9f8d70ad16859577fa729682d82f528816788080eee C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 192a3c7bba65d245e8fea0cfb81bcaad
SHA1 1693465ee4965b376dc43234ff269a740ddd16a9
SHA256 f1284392c076d7190fc67b0bca65d563a2f307f0c7ee7b233091765d86f6068e
SHA512 22a2f2d1bcd950e43a46d993215792d0c422e42ddbd7d43ca13ed5b9499442a06a7a015be401e9105ad411591e9f81fc5ecf0c8647d5730bf06ed2c0d728e4e2

C:\ProgramData\AMMYY\hr3

MD5 74b9c8554fd0926b7c4db1440aec74f1
SHA1 6ca3dc9293d2fb5e9258ed1daba5516cd9f59433
SHA256 09a6a0e00772a7b08faaf7f60c86b4efcf7513c02da7aa1bf4f86a45d34685e9
SHA512 3c5231b7ce46f235e8ae1ac3751e264a0defd0b58d3aad78d0ccf4f448bdb51f0f76d11ef2c3cf66980492de190b0d00669a92cebc228e847d521a8ba1385553

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 11:26

Reported

2024-11-27 11:29

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Flawedammyy family

flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752530be1b109f71fb36b C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = de870587090b88921cc6d109315a218f2632657ace360027a179d18824ed1df67250b97ce75d654abb4b46ca55d945c0931debff7e30955132993778c9fe61974c45f62dbeb7b6040175a8 C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 bca0c13ea65f53ab73787f5de968e77a
SHA1 76fecb28688bae3812b9237ed1138ad8e2cd79bf
SHA256 fd5b901fd3523ffc83337e5833a2eb5773f2f49334421163228b95c8c9a8681b
SHA512 ffee71e85a014596f10d3fed3e90f82be91ec3da7497d903153cab5d3b58ea08dbb49a60a3d2ad0729c0df2ed22f34631ef3725080f205f1a5a18801bbf500a4

C:\ProgramData\AMMYY\hr3

MD5 bef713c86fa26b471927b07ca52ae079
SHA1 78ab1671e2c7d6b152269503d085afdae16a8d64
SHA256 ee839d5f6201a750a87bdf212e567d58e7d1022a32f8caaec8c2be7afe8abd4b
SHA512 b483858ddb7f13387800b13c850fc0c92bb9a851b18df13a38ef365a78ffea9d249a08619ca60706a38eb213f7a5daf6cbd253fadaa4b9d612bfec9850b51daa