Analysis Overview
SHA256
af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092
Threat Level: Known bad
The file af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin Payload
Ammyyadmin family
Ammyy Admin
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-16 13:32
Signatures
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-31 10:25
Reported
2021-08-31 10:29
Platform
win7v20210410
Max time kernel
151s
Max time network
192s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1304 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1304 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1304 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1304 wrote to memory of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe
"C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | tcp |
Files
memory/1304-60-0x0000000075551000-0x0000000075553000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 72fadc18bf5a4c479a31c329a6abf9bb |
| SHA1 | 75d2f13681b9f7cbefbd3ac65753c1cd697ebfe4 |
| SHA256 | 48323d9c1861e8535a5c68c2f3700c1bceb259b04c750153242f8821facf6ea7 |
| SHA512 | d0971571ec1151ddce055b30515cdf709b3e04afb093f4322589e5ed86ece2fb4e4acaff37e6d0c73d6aff681d3798cc60ddfbed002652e57a7c7492d5fd1d33 |
memory/1160-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 72fadc18bf5a4c479a31c329a6abf9bb |
| SHA1 | 75d2f13681b9f7cbefbd3ac65753c1cd697ebfe4 |
| SHA256 | 48323d9c1861e8535a5c68c2f3700c1bceb259b04c750153242f8821facf6ea7 |
| SHA512 | d0971571ec1151ddce055b30515cdf709b3e04afb093f4322589e5ed86ece2fb4e4acaff37e6d0c73d6aff681d3798cc60ddfbed002652e57a7c7492d5fd1d33 |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 72fadc18bf5a4c479a31c329a6abf9bb |
| SHA1 | 75d2f13681b9f7cbefbd3ac65753c1cd697ebfe4 |
| SHA256 | 48323d9c1861e8535a5c68c2f3700c1bceb259b04c750153242f8821facf6ea7 |
| SHA512 | d0971571ec1151ddce055b30515cdf709b3e04afb093f4322589e5ed86ece2fb4e4acaff37e6d0c73d6aff681d3798cc60ddfbed002652e57a7c7492d5fd1d33 |
memory/1304-66-0x0000000001E30000-0x0000000001E31000-memory.dmp
memory/1304-67-0x0000000002720000-0x0000000002B20000-memory.dmp
memory/1160-68-0x0000000001DF0000-0x0000000001DF1000-memory.dmp
memory/1160-69-0x00000000026E0000-0x0000000002AE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-31 10:25
Reported
2021-08-31 10:30
Platform
win10v20210408
Max time kernel
140s
Max time network
168s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 640 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 640 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 640 wrote to memory of 3864 | N/A | C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe
"C:\Users\Admin\AppData\Local\Temp\af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
Files
memory/640-114-0x0000000002300000-0x0000000002301000-memory.dmp
memory/640-115-0x0000000002650000-0x0000000002A50000-memory.dmp
memory/3864-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 72fadc18bf5a4c479a31c329a6abf9bb |
| SHA1 | 75d2f13681b9f7cbefbd3ac65753c1cd697ebfe4 |
| SHA256 | 48323d9c1861e8535a5c68c2f3700c1bceb259b04c750153242f8821facf6ea7 |
| SHA512 | d0971571ec1151ddce055b30515cdf709b3e04afb093f4322589e5ed86ece2fb4e4acaff37e6d0c73d6aff681d3798cc60ddfbed002652e57a7c7492d5fd1d33 |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 72fadc18bf5a4c479a31c329a6abf9bb |
| SHA1 | 75d2f13681b9f7cbefbd3ac65753c1cd697ebfe4 |
| SHA256 | 48323d9c1861e8535a5c68c2f3700c1bceb259b04c750153242f8821facf6ea7 |
| SHA512 | d0971571ec1151ddce055b30515cdf709b3e04afb093f4322589e5ed86ece2fb4e4acaff37e6d0c73d6aff681d3798cc60ddfbed002652e57a7c7492d5fd1d33 |
memory/3864-119-0x0000000000160000-0x0000000000161000-memory.dmp
memory/3864-120-0x0000000002570000-0x0000000002970000-memory.dmp