Overview

overview

10

Static

static

10

a7259b65a4...c8.exe

windows7_x64

10

a7259b65a4...c8.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    03-09-2021 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe

  • Size

    1001KB

  • MD5

    a0063f8960f976b6a56ce2831b34ae19

  • SHA1

    bafde121d67f8359ddebaf5c13ab86eceb6dccc7

  • SHA256

    a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8

  • SHA512

    f79fd079ce9a43e3e36e3e1ee12ca06d17ad00e6624d2d22a67bee0d615cdb447b1e12aa074d57bbc4ba9558558c670c3d0421b1aa0cd468686616861717ef6b

Score
10/10
ammyyadminrat

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

    ratammyyadmin
  • AmmyyAdmin Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe
    "C:\Users\Admin\AppData\Local\Temp\a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe
    MD5

    ae9bf34c3d5342386729bdef459a271b

    SHA1

    0663c60b0ab1149dc79517917cda8f26803f289d

    SHA256

    074e47886359301c80d6e73ade27a14fa65f58dde03825bc70cc8a3a3dcdca4a

    SHA512

    bf3ba85927c343c313acd1cba28ffb6ee8d99a6e445ebd23a9f1984453d0d70e69b262c06ebc42c422389612ef262b76d3a62688a03553af34364863085da1bb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\budha.exe
    MD5

    ae9bf34c3d5342386729bdef459a271b

    SHA1

    0663c60b0ab1149dc79517917cda8f26803f289d

    SHA256

    074e47886359301c80d6e73ade27a14fa65f58dde03825bc70cc8a3a3dcdca4a

    SHA512

    bf3ba85927c343c313acd1cba28ffb6ee8d99a6e445ebd23a9f1984453d0d70e69b262c06ebc42c422389612ef262b76d3a62688a03553af34364863085da1bb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\budha.exe
    MD5

    ae9bf34c3d5342386729bdef459a271b

    SHA1

    0663c60b0ab1149dc79517917cda8f26803f289d

    SHA256

    074e47886359301c80d6e73ade27a14fa65f58dde03825bc70cc8a3a3dcdca4a

    SHA512

    bf3ba85927c343c313acd1cba28ffb6ee8d99a6e445ebd23a9f1984453d0d70e69b262c06ebc42c422389612ef262b76d3a62688a03553af34364863085da1bb

    Download Submit
  • memory/1256-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1256-61-0x0000000001E00000-0x0000000001E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1256-62-0x00000000027F0000-0x0000000002BF0000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/1816-53-0x0000000075AA1000-0x0000000075AA3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1816-54-0x0000000001EC0000-0x0000000001EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1816-55-0x00000000026D0000-0x0000000002AD0000-memory.dmp
    Filesize

    4.0MB

    Download