Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-09-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
Resource
win10-en
General
-
Target
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
-
Size
942KB
-
MD5
40ee484d60e2189ec5bb129321b5ff81
-
SHA1
23d2bb8b0a6d4848d7d3385a813506f7e3e12322
-
SHA256
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0
-
SHA512
03a134df5183e46e701347000bb480126000e2f402bd88c4d4a0b469bb5b4629f10b580bf2ae157cb524b8468244b86af0fdb6923c9902cc1ad31cde678c0c3c
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin Payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 1948 budha.exe -
Loads dropped DLL 1 IoCs
Processes:
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exepid process 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exedescription pid process target process PID 1016 wrote to memory of 1948 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe budha.exe PID 1016 wrote to memory of 1948 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe budha.exe PID 1016 wrote to memory of 1948 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe budha.exe PID 1016 wrote to memory of 1948 1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\budha.exeMD5
b9df85b5a69f386a029bc10d94957622
SHA1249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a
-
C:\Users\Admin\AppData\Local\Temp\budha.exeMD5
b9df85b5a69f386a029bc10d94957622
SHA1249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a
-
\Users\Admin\AppData\Local\Temp\budha.exeMD5
b9df85b5a69f386a029bc10d94957622
SHA1249f18d4d7969e4a1bfe4daf674bb7725c7a9327
SHA256720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed
SHA512e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a
-
memory/1016-60-0x00000000769B1000-0x00000000769B3000-memory.dmpFilesize
8KB
-
memory/1016-61-0x0000000001EE0000-0x0000000001EE1000-memory.dmpFilesize
4KB
-
memory/1016-62-0x00000000027D0000-0x0000000002BD0000-memory.dmpFilesize
4.0MB
-
memory/1948-64-0x0000000000000000-mapping.dmp
-
memory/1948-68-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1948-69-0x0000000002710000-0x0000000002B10000-memory.dmpFilesize
4.0MB