Analysis Overview
SHA256
6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05
Threat Level: Known bad
The file 6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin Payload
Ammyyadmin family
Ammyy Admin
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-16 13:32
Signatures
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-30 06:12
Reported
2021-08-30 06:22
Platform
win7v20210408
Max time kernel
153s
Max time network
198s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1100 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1100 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1100 wrote to memory of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe
"C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
Files
memory/1100-60-0x0000000075B31000-0x0000000075B33000-memory.dmp
memory/1100-61-0x0000000001D00000-0x0000000001D01000-memory.dmp
memory/1100-62-0x00000000026F0000-0x0000000002AF0000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | cc762f9f1da8f5f8add9095b7cd615fb |
| SHA1 | a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2 |
| SHA256 | 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6 |
| SHA512 | 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907 |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | cc762f9f1da8f5f8add9095b7cd615fb |
| SHA1 | a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2 |
| SHA256 | 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6 |
| SHA512 | 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907 |
memory/1728-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | cc762f9f1da8f5f8add9095b7cd615fb |
| SHA1 | a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2 |
| SHA256 | 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6 |
| SHA512 | 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907 |
memory/1728-68-0x0000000000290000-0x0000000000291000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-30 06:12
Reported
2021-08-30 06:22
Platform
win10v20210408
Max time kernel
136s
Max time network
154s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 808 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 808 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 808 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe
"C:\Users\Admin\AppData\Local\Temp\6b4e0bacccb182794d94fdf6fe5389046d10e1b31c1b7309c17c997e0265cd05.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 34.104.35.123:80 | tcp | |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 172.217.168.226:80 | tcp | |
| NL | 142.250.179.163:443 | tcp | |
| US | 172.217.168.226:80 | tcp | |
| US | 142.251.36.46:443 | tcp | |
| NL | 142.250.179.141:443 | tcp | |
| US | 8.8.4.4:443 | tcp | |
| US | 8.8.4.4:443 | tcp | |
| NL | 142.250.179.193:443 | tcp | |
| NL | 142.250.179.162:443 | tcp | |
| US | 172.217.168.195:443 | tcp | |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 142.251.36.42:443 | tcp | |
| US | 8.8.4.4:443 | tcp | |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.4.4:443 | tcp | |
| NL | 142.250.179.163:443 | tcp | |
| US | 142.251.36.35:443 | tcp | |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
Files
memory/808-114-0x0000000002400000-0x0000000002401000-memory.dmp
memory/808-115-0x0000000002750000-0x0000000002B50000-memory.dmp
memory/3424-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | cc762f9f1da8f5f8add9095b7cd615fb |
| SHA1 | a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2 |
| SHA256 | 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6 |
| SHA512 | 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907 |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | cc762f9f1da8f5f8add9095b7cd615fb |
| SHA1 | a9a6bbb2f991e3a9b2efd9c58e4bc1cc4aa6b8b2 |
| SHA256 | 3f25bd47d85e2778aa5b10ad291e27c66f3a1e01cf8c26a161f64fe4bb5aa7f6 |
| SHA512 | 24dc55f7500a0aeb088e9dd9ce8769a3ad6e27d402e5cc4a577f8101cc2de43b46735e3f9c3de4239c8606dd4531972306305c16051ae059aef8aa2e228fa907 |
memory/3424-119-0x0000000000410000-0x000000000055A000-memory.dmp
memory/3424-120-0x0000000002530000-0x0000000002930000-memory.dmp