Analysis

  • max time kernel
    157s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    06-09-2021 06:40

General

  • Target

    bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe

  • Size

    942KB

  • MD5

    40ee484d60e2189ec5bb129321b5ff81

  • SHA1

    23d2bb8b0a6d4848d7d3385a813506f7e3e12322

  • SHA256

    bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0

  • SHA512

    03a134df5183e46e701347000bb480126000e2f402bd88c4d4a0b469bb5b4629f10b580bf2ae157cb524b8468244b86af0fdb6923c9902cc1ad31cde678c0c3c

Score
10/10

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

  • AmmyyAdmin Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
    "C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:1948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    MD5

    b9df85b5a69f386a029bc10d94957622

    SHA1

    249f18d4d7969e4a1bfe4daf674bb7725c7a9327

    SHA256

    720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed

    SHA512

    e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    MD5

    b9df85b5a69f386a029bc10d94957622

    SHA1

    249f18d4d7969e4a1bfe4daf674bb7725c7a9327

    SHA256

    720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed

    SHA512

    e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

  • \Users\Admin\AppData\Local\Temp\budha.exe

    MD5

    b9df85b5a69f386a029bc10d94957622

    SHA1

    249f18d4d7969e4a1bfe4daf674bb7725c7a9327

    SHA256

    720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed

    SHA512

    e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

  • memory/1016-60-0x00000000769B1000-0x00000000769B3000-memory.dmp

    Filesize

    8KB

  • memory/1016-61-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

    Filesize

    4KB

  • memory/1016-62-0x00000000027D0000-0x0000000002BD0000-memory.dmp

    Filesize

    4.0MB

  • memory/1948-64-0x0000000000000000-mapping.dmp

  • memory/1948-68-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/1948-69-0x0000000002710000-0x0000000002B10000-memory.dmp

    Filesize

    4.0MB