Overview

overview

10

Static

static

10

5b003e112a...2f.exe

windows7_x64

10

5b003e112a...2f.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    07-09-2021 06:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe

  • Size

    1002KB

  • MD5

    93661162a502c88690f9f39c15dcfcce

  • SHA1

    757ecaf8610a7b7c45694ce4db2ec9b3ea1f7f94

  • SHA256

    5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f

  • SHA512

    e22c1de5eeef3eed65500316d6001613fad758098316ea683235e4637bd0e95e851e2e3ab0afcaa24a4b6adcf089989e0201b7b0ca63051ccb56a0a4b4efbba2

Score
10/10
ammyyadminrat

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

    ratammyyadmin
  • AmmyyAdmin Payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe
    "C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe
    MD5

    7ca303ce7f976c70716e42115cec4958

    SHA1

    1e2baa5394c6be10c33e9f9cff2e957335e03bf0

    SHA256

    0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3

    SHA512

    5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\budha.exe
    MD5

    7ca303ce7f976c70716e42115cec4958

    SHA1

    1e2baa5394c6be10c33e9f9cff2e957335e03bf0

    SHA256

    0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3

    SHA512

    5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da

    Download Submit

  • \Users\Admin\AppData\Local\Temp\budha.exe
    MD5

    7ca303ce7f976c70716e42115cec4958

    SHA1

    1e2baa5394c6be10c33e9f9cff2e957335e03bf0

    SHA256

    0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3

    SHA512

    5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da

    Download Submit

  • memory/1732-55-0x0000000000000000-mapping.dmp

    Download

  • memory/1732-61-0x0000000000280000-0x0000000000281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-62-0x0000000002780000-0x0000000002B80000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1996-53-0x00000000761B1000-0x00000000761B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1996-57-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1996-58-0x0000000002700000-0x0000000002B00000-memory.dmp

    Filesize

    4.0MB

    Download