Analysis Overview
SHA256
1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
FlawedAmmyy RAT
Flawedammyy family
Ammyyadmin family
AmmyyAdmin payload
Checks computer location settings
Drops file in System32 directory
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-04 16:23
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 16:23
Reported
2024-12-04 16:25
Platform
win7-20240903-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
FlawedAmmyy RAT
Flawedammyy family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253d7fb6bfc2019b36b | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 1cd8d6dc2480b43e597f346efbb189da7741ca5d271affd9ea9c013a581f09ce0344e59d6f06abaa4de5f11f6a0ab52bfaab79336886f0753999e498febf6f780bd90f57cd271b4ababb35 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 2804 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 2804 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 2804 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 38a0a7a62b19d13314fe91d420c3a553 |
| SHA1 | 44298839c4ba1c4032827e97572645df8b8d7c41 |
| SHA256 | 64cfc585c01dfe19f0278255080925fecae251745f0f9efbf67ccac25cbb4c3c |
| SHA512 | 83b253b7945c8f4924f1b84ae0948340dd0741e204d02325ae61d5124cd2295c643afde8979edbf56624e76bdf2e34b5ea77166439e1a62858d28d3dd43c1a93 |
C:\ProgramData\AMMYY\hr3
| MD5 | aeb8ff6008953703ca4b7f18a06f0be7 |
| SHA1 | 500b06af2dc5e61762b05116ddba317e89fe2116 |
| SHA256 | bbc7de84655bf233f72b08c57e8319710a89040a485391c1c200cae50a683a01 |
| SHA512 | 17156543eeaec39c41138e3cd55a0505ee38cf27a7a21520ea0798d34044acf9e919a8ce4d2d36d153097232e0cd9930c581a7564577f5ee403e30d495aaa742 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 16:23
Reported
2024-12-04 16:25
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
FlawedAmmyy RAT
Flawedammyy family
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253d7c434fc2019b36b | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 1cd570030593315c8ef5996aa681cf290f0b99759b2861b679e005706997d414313da91bfc1218e0ec4670772388e738bf4b4617ec5113d9a459476a9e72de9ec48d9c0135772c79da23a9 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1240 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 1240 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| PID 1240 wrote to memory of 3976 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 6e91f8e00d2450332b7c094c2445706a |
| SHA1 | 429cf8372434b3a4c1a09b58a6b9597a3f60a74c |
| SHA256 | 74ee99bd914cc0f998cac9c2c712503db17f030e7cd54619fff4d92f6a860898 |
| SHA512 | b3aa39a8e8f9fcc33ec28dca612dcb11afd6361143a0103d3f557b0c43524ce89ed3fbd4123765ab5a1ef3e89eaf1cfc7cb6e518af99311d76ee61181a1a94ab |
C:\ProgramData\AMMYY\hr3
| MD5 | fc9a0e9a6bd1fa10ecf97c77d6fb58ce |
| SHA1 | f3f2e4f2105239262c96e59519ce38ff3c370353 |
| SHA256 | 21bf400a325c8a2f963a77e1764123675ee58e7055cfbcb4411105b0fa9eac96 |
| SHA512 | 74e7de17cbf2a3da55690272572b760c963010a589e9b80f66176c36a6ab2253208d2419938a98ec0acaedfe8fd29f22dbeb0a5b44e23c4d2723604036033690 |