ammyyadmin | bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0

General

Target

bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
Size

942KB
MD5

40ee484d60e2189ec5bb129321b5ff81
SHA1

23d2bb8b0a6d4848d7d3385a813506f7e3e12322
SHA256

bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0
SHA512

03a134df5183e46e701347000bb480126000e2f402bd88c4d4a0b469bb5b4629f10b580bf2ae157cb524b8468244b86af0fdb6923c9902cc1ad31cde678c0c3c

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

1948 budha.exe
Loads dropped DLL 1 IoCs

Processes:

bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe

pid process

1016 bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1948	budha.exe

pid	process
1016	bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe

description	pid	process	target process
PID 1016 wrote to memory of 1948	1016	bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe	budha.exe
PID 1016 wrote to memory of 1948	1016	bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe	budha.exe
PID 1016 wrote to memory of 1948	1016	bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe	budha.exe
PID 1016 wrote to memory of 1948	1016	bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
"C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
2⤵
- Executes dropped EXE
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe
MD5
b9df85b5a69f386a029bc10d94957622

SHA1
249f18d4d7969e4a1bfe4daf674bb7725c7a9327

SHA256
720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed

SHA512
e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe
MD5
b9df85b5a69f386a029bc10d94957622

SHA1
249f18d4d7969e4a1bfe4daf674bb7725c7a9327

SHA256
720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed

SHA512
e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe
MD5
b9df85b5a69f386a029bc10d94957622

SHA1
249f18d4d7969e4a1bfe4daf674bb7725c7a9327

SHA256
720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed

SHA512
e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a

Download Submit
memory/1016-60-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1016-61-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/1016-62-0x00000000027D0000-0x0000000002BD0000-memory.dmp

Filesize
4.0MB

Download
memory/1948-64-0x0000000000000000-mapping.dmp

Download
memory/1948-68-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1948-69-0x0000000002710000-0x0000000002B10000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing