Analysis Overview
SHA256
f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b
Threat Level: Known bad
The file f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin Payload
Ammyyadmin family
Ammyy Admin
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-16 13:32
Signatures
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-30 06:12
Reported
2021-08-30 06:16
Platform
win7v20210408
Max time kernel
161s
Max time network
210s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 784 | N/A | C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2004 wrote to memory of 784 | N/A | C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2004 wrote to memory of 784 | N/A | C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2004 wrote to memory of 784 | N/A | C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe
"C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
Files
memory/2004-60-0x0000000075AF1000-0x0000000075AF3000-memory.dmp
memory/2004-61-0x0000000001EE0000-0x0000000001EE1000-memory.dmp
memory/2004-62-0x00000000027D0000-0x0000000002BD0000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 3a9616f44df6aea92068ce47aa2c3142 |
| SHA1 | 0022db2dd41b59e1aa57a9eeea5efa585aa7b554 |
| SHA256 | 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601 |
| SHA512 | 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12 |
memory/784-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 3a9616f44df6aea92068ce47aa2c3142 |
| SHA1 | 0022db2dd41b59e1aa57a9eeea5efa585aa7b554 |
| SHA256 | 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601 |
| SHA512 | 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12 |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 3a9616f44df6aea92068ce47aa2c3142 |
| SHA1 | 0022db2dd41b59e1aa57a9eeea5efa585aa7b554 |
| SHA256 | 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601 |
| SHA512 | 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12 |
memory/784-68-0x0000000001E40000-0x0000000001E41000-memory.dmp
memory/784-69-0x0000000002830000-0x0000000002C30000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-30 06:12
Reported
2021-08-30 06:15
Platform
win10v20210408
Max time kernel
156s
Max time network
173s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 656 wrote to memory of 3176 | N/A | C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 656 wrote to memory of 3176 | N/A | C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 656 wrote to memory of 3176 | N/A | C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe
"C:\Users\Admin\AppData\Local\Temp\f13d4d73c46aaeddaf78558835095db8f034cc1361c0cbcf23980e108387126b.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
Files
memory/656-114-0x0000000000A30000-0x0000000000A31000-memory.dmp
memory/656-115-0x0000000002720000-0x0000000002B20000-memory.dmp
memory/3176-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 3a9616f44df6aea92068ce47aa2c3142 |
| SHA1 | 0022db2dd41b59e1aa57a9eeea5efa585aa7b554 |
| SHA256 | 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601 |
| SHA512 | 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12 |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 3a9616f44df6aea92068ce47aa2c3142 |
| SHA1 | 0022db2dd41b59e1aa57a9eeea5efa585aa7b554 |
| SHA256 | 4d8f460dc3dc8486606dab2d6128f1e4344322b6eeaf2780f4ca50f40f28d601 |
| SHA512 | 50585591d9115ae7cc479044f8ccb7313598b8ff2ea386cf5bfc358750d3c6617e7865e7e948d579c453f559ec0dfbbcac264a50718c275184c55480e9a4bf12 |
memory/3176-120-0x00000000025B0000-0x00000000029B0000-memory.dmp
memory/3176-119-0x0000000002260000-0x0000000002261000-memory.dmp