ammyyadmin | 5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f

Analysis

Target

5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe
Size

1002KB
MD5

93661162a502c88690f9f39c15dcfcce
SHA1

757ecaf8610a7b7c45694ce4db2ec9b3ea1f7f94
SHA256

5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f
SHA512

e22c1de5eeef3eed65500316d6001613fad758098316ea683235e4637bd0e95e851e2e3ab0afcaa24a4b6adcf089989e0201b7b0ca63051ccb56a0a4b4efbba2

Score

10^/10

ammyyadmin rat

AmmyyAdmin Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

2604 budha.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2604	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe

description	pid	process	target process
PID 632 wrote to memory of 2604	632	5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe	budha.exe
PID 632 wrote to memory of 2604	632	5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe	budha.exe
PID 632 wrote to memory of 2604	632	5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe
"C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2604

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5
7ca303ce7f976c70716e42115cec4958

SHA1
1e2baa5394c6be10c33e9f9cff2e957335e03bf0

SHA256
0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3

SHA512
5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5
7ca303ce7f976c70716e42115cec4958

SHA1
1e2baa5394c6be10c33e9f9cff2e957335e03bf0

SHA256
0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3

SHA512
5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da

Download Submit
memory/632-115-0x0000000002630000-0x0000000002A30000-memory.dmp

Filesize
4.0MB

Download
memory/632-114-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2604-116-0x0000000000000000-mapping.dmp

Download
memory/2604-119-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2604-120-0x0000000002510000-0x0000000002910000-memory.dmp

Filesize
4.0MB

Download