ammyyadmin | 3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Size

651KB
MD5

e59083fc9d80ed5b698c01ddfea8fcc1
SHA1

f1db45a790994aae4f96c3a1b98ddd5d1257f893
SHA256

3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576
SHA512

e6f3a1f1ef8956423e9d07aa57d251a3cc6de661d1c467f832e14822504df330f6099b1c5cbe79914c7cac63be2a2a7c3542f9b0ba92a0d26841ca8764346c34
SSDEEP

12288:2aA9OKLSwaIN5U8xvFoRQMEoO2rx8ikfRtjIe9rtv8zl6mi/gQ:KkK+waI8JRQMEJ2rufRtse9rtv8zlBi3

Score

10^/10

ammyyadmin flawedammyy discovery rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

resource	yara_rule
behavioral1/memory/2124-0-0x0000000000400000-0x00000000004B2000-memory.dmp	family_ammyyadmin
behavioral1/memory/2348-2-0x0000000000400000-0x00000000004B2000-memory.dmp	family_ammyyadmin
behavioral1/memory/2348-4-0x0000000000400000-0x00000000004B2000-memory.dmp	family_ammyyadmin
behavioral1/memory/2124-5-0x0000000000400000-0x00000000004B2000-memory.dmp	family_ammyyadmin
behavioral1/memory/2212-17-0x0000000000400000-0x00000000004B2000-memory.dmp	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-b3-09-d6-34-e2\WpadDecision = "0"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC977695-0DCD-4DE5-A62C-D2CCFA9E2BD8}\WpadDecisionReason = "1"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-b3-09-d6-34-e2	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC977695-0DCD-4DE5-A62C-D2CCFA9E2BD8}\WpadDecisionTime = 509a715b2b5edb01	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC977695-0DCD-4DE5-A62C-D2CCFA9E2BD8}\WpadDecision = "0"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0089000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC977695-0DCD-4DE5-A62C-D2CCFA9E2BD8}\fa-b3-09-d6-34-e2	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC977695-0DCD-4DE5-A62C-D2CCFA9E2BD8}\WpadNetworkName = "Network 3"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-b3-09-d6-34-e2\WpadDecisionTime = 509a715b2b5edb01	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC977695-0DCD-4DE5-A62C-D2CCFA9E2BD8}	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2212	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	2212	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Token: SeRestorePrivilege	2212	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Token: SeBackupPrivilege	2212	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
Token: SeRestorePrivilege	2212	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2212	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2212	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2212	2348	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe	31
PID 2348 wrote to memory of 2212	2348	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe	31
PID 2348 wrote to memory of 2212	2348	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe	31
PID 2348 wrote to memory of 2212	2348	3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe	31

C:\Users\Admin\AppData\Local\Temp\3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
"C:\Users\Admin\AppData\Local\Temp\3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2124

C:\Users\Admin\AppData\Local\Temp\3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
"C:\Users\Admin\AppData\Local\Temp\3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe
  "C:\Users\Admin\AppData\Local\Temp\3be888aaea64006a812de63d81597596777e3b4b03f12437ed720e23f4e66576.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings.bin

Filesize
76B

MD5
090bba5cbe9cd62189310f633f14d686

SHA1
0ce1d78aace04650b0c592665686a89412c1771c

SHA256
7bc48188bbd0ad1b7ac10257e6a8fc5327f2ccfd56402a4353f6d8ef26eb0ff8

SHA512
846781bdb4d8902963f1859077c8db4c763fdd4ca28f0be83b95c20d324b5db030f312fc3d4f959dc05ca4f41ef872a49d123195494b16440e16ebcc5edb31a7

Download Submit
memory/2124-0-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2124-5-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2212-17-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2348-2-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2348-4-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download