ammyyadmin | b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c

Analysis

Target

b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c.exe
Size

942KB
MD5

33889f086935081da3fd8331871d4984
SHA1

31648aa325742695ce8e9c23115235f2d2816248
SHA256

b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c
SHA512

7fb2b6aec4a9134e88a1adc4247f3dab2841a70637cda87a8f2e2470b61a105d361bc749fc93178bc60627860b1f618eef9817ce3e1c03895bdd96e6e6a381ce

Score

10^/10

ammyyadmin rat

AmmyyAdmin Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000400000001aafe-116.dat	family_ammyyadmin
behavioral2/files/0x000400000001aafe-117.dat	family_ammyyadmin

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid	Process
2672	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c.exe

description	pid	Process	procid_target
PID 3992 wrote to memory of 2672	3992	b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c.exe	76
PID 3992 wrote to memory of 2672	3992	b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c.exe	76
PID 3992 wrote to memory of 2672	3992	b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c.exe	76

C:\Users\Admin\AppData\Local\Temp\b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c.exe
"C:\Users\Admin\AppData\Local\Temp\b77f695ff45d0ae0eeafef3dd41ae7c89bc56036a3ef0f4168509bae54c8db9c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2672

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5
8136552415eb9ab52d1f88fc08c7db30

SHA1
fbe237761b472fe73636d7324d1c61a06e56d401

SHA256
21080b21270a803f132267a20cf8293c9468d87b860eba8d16bbd04bbc08328e

SHA512
84c9bc1a61f63d279434d2a0d2ef66e9d5a57017f350e92ffc6f96622bcb3e63087fda80490007b7a996724b6d695c71b3b8e2bdba4dbc02f85befa83b811fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5
8136552415eb9ab52d1f88fc08c7db30

SHA1
fbe237761b472fe73636d7324d1c61a06e56d401

SHA256
21080b21270a803f132267a20cf8293c9468d87b860eba8d16bbd04bbc08328e

SHA512
84c9bc1a61f63d279434d2a0d2ef66e9d5a57017f350e92ffc6f96622bcb3e63087fda80490007b7a996724b6d695c71b3b8e2bdba4dbc02f85befa83b811fe0

Download Submit
memory/2672-115-0x0000000000000000-mapping.dmp

Download
memory/2672-119-0x0000000002530000-0x0000000002930000-memory.dmp

Filesize
4.0MB

Download
memory/2672-121-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3992-118-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3992-120-0x0000000002670000-0x0000000002A70000-memory.dmp

Filesize
4.0MB

Download