ammyyadmin | a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-en
submitted
03-09-2021 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe
Size

1001KB
MD5

a0063f8960f976b6a56ce2831b34ae19
SHA1

bafde121d67f8359ddebaf5c13ab86eceb6dccc7
SHA256

a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8
SHA512

f79fd079ce9a43e3e36e3e1ee12ca06d17ad00e6624d2d22a67bee0d615cdb447b1e12aa074d57bbc4ba9558558c670c3d0421b1aa0cd468686616861717ef6b

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0002000000012f22-58.dat	family_ammyyadmin
behavioral1/files/0x0002000000012f22-56.dat	family_ammyyadmin
behavioral1/files/0x0002000000012f22-60.dat	family_ammyyadmin

Executes dropped EXE 1 IoCs

pid	Process
1256	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
1816	a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1256	1816	a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe	27
PID 1816 wrote to memory of 1256	1816	a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe	27
PID 1816 wrote to memory of 1256	1816	a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe	27
PID 1816 wrote to memory of 1256	1816	a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe	27

C:\Users\Admin\AppData\Local\Temp\a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe
"C:\Users\Admin\AppData\Local\Temp\a7259b65a4acac8f1ef4a5cfdced39a996e97450944ac90a306b5ea71b727cc8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-61-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1256-62-0x00000000027F0000-0x0000000002BF0000-memory.dmp

Filesize
4.0MB

Download
memory/1816-53-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/1816-54-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1816-55-0x00000000026D0000-0x0000000002AD0000-memory.dmp

Filesize
4.0MB

Download