Analysis Overview
SHA256
bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0
Threat Level: Known bad
The file bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0 was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin Payload
Ammyyadmin family
Ammyy Admin
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-16 13:32
Signatures
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-06 06:40
Reported
2021-09-06 06:42
Platform
win7v20210408
Max time kernel
157s
Max time network
162s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1016 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1016 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1016 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1016 wrote to memory of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe
"C:\Users\Admin\AppData\Local\Temp\bc23e863023b8d708341aa5fddf8aaa2b3c2b778edd9309b80304a980bba9ee0.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
Files
memory/1016-60-0x00000000769B1000-0x00000000769B3000-memory.dmp
memory/1016-61-0x0000000001EE0000-0x0000000001EE1000-memory.dmp
memory/1016-62-0x00000000027D0000-0x0000000002BD0000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | b9df85b5a69f386a029bc10d94957622 |
| SHA1 | 249f18d4d7969e4a1bfe4daf674bb7725c7a9327 |
| SHA256 | 720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed |
| SHA512 | e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a |
memory/1948-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | b9df85b5a69f386a029bc10d94957622 |
| SHA1 | 249f18d4d7969e4a1bfe4daf674bb7725c7a9327 |
| SHA256 | 720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed |
| SHA512 | e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | b9df85b5a69f386a029bc10d94957622 |
| SHA1 | 249f18d4d7969e4a1bfe4daf674bb7725c7a9327 |
| SHA256 | 720e6f731aefda05db0bd9862361b098e6ee6c8eabc82e98061098d76eebf5ed |
| SHA512 | e41c01ce8457d82514f076445bb41912fa52612b9aa8fe5c312cca07e24f0c167e3b9feacc4f1f641a39347fef3c87dec91915906c9e05c4bbd6992560cd163a |
memory/1948-68-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1948-69-0x0000000002710000-0x0000000002B10000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-06 06:40
Reported
2021-09-06 06:40
Platform
win10-en
Max time network
3s