Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-09-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
Resource
win10-en
General
-
Target
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
-
Size
942KB
-
MD5
40ee484d60e2189ec5bb129321b5ff81
-
SHA1
23d2bb8b0a6d4848d7d3385a813506f7e3e12322
-
SHA256
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0
-
SHA512
03a134df5183e46e701347000bb480126000e2f402bd88c4d4a0b469bb5b4629f10b580bf2ae157cb524b8468244b86af0fdb6923c9902cc1ad31cde678c0c3c
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin Payload 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x00040000000130b1-63.dat family_ammyyadmin behavioral1/files/0x00040000000130b1-65.dat family_ammyyadmin behavioral1/files/0x00040000000130b1-67.dat family_ammyyadmin -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid Process 1948 budha.exe -
Loads dropped DLL 1 IoCs
Processes:
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exepid Process 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exedescription pid Process procid_target PID 1016 wrote to memory of 1948 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe 26 PID 1016 wrote to memory of 1948 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe 26 PID 1016 wrote to memory of 1948 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe 26 PID 1016 wrote to memory of 1948 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:1948
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b9df85b5a69f386a029bc10d94957622
SHA1249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a
-
MD5
b9df85b5a69f386a029bc10d94957622
SHA1249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a
-
MD5
b9df85b5a69f386a029bc10d94957622
SHA1249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a