Analysis Overview
SHA256
5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f
Threat Level: Known bad
The file 5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
Ammyy Admin
AmmyyAdmin Payload
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-16 13:32
Signatures
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-07 06:09
Reported
2021-09-07 06:12
Platform
win7-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1996 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1996 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1996 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1996 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe
"C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
Files
memory/1996-53-0x00000000761B1000-0x00000000761B3000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 7ca303ce7f976c70716e42115cec4958 |
| SHA1 | 1e2baa5394c6be10c33e9f9cff2e957335e03bf0 |
| SHA256 | 0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3 |
| SHA512 | 5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 7ca303ce7f976c70716e42115cec4958 |
| SHA1 | 1e2baa5394c6be10c33e9f9cff2e957335e03bf0 |
| SHA256 | 0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3 |
| SHA512 | 5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da |
memory/1732-55-0x0000000000000000-mapping.dmp
memory/1996-57-0x0000000000550000-0x0000000000551000-memory.dmp
memory/1996-58-0x0000000002700000-0x0000000002B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 7ca303ce7f976c70716e42115cec4958 |
| SHA1 | 1e2baa5394c6be10c33e9f9cff2e957335e03bf0 |
| SHA256 | 0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3 |
| SHA512 | 5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da |
memory/1732-61-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1732-62-0x0000000002780000-0x0000000002B80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-07 06:09
Reported
2021-09-07 06:12
Platform
win10v20210408
Max time kernel
139s
Max time network
157s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 632 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 632 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 632 wrote to memory of 2604 | N/A | C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe
"C:\Users\Admin\AppData\Local\Temp\5b003e112ab22c2689cdf5379d7fc64da81f9fa7b0945632c9f489ca1a39192f.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| BE | 35.205.61.67:443 | maitikio.com | tcp |
Files
memory/632-115-0x0000000002630000-0x0000000002A30000-memory.dmp
memory/632-114-0x0000000002140000-0x0000000002141000-memory.dmp
memory/2604-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 7ca303ce7f976c70716e42115cec4958 |
| SHA1 | 1e2baa5394c6be10c33e9f9cff2e957335e03bf0 |
| SHA256 | 0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3 |
| SHA512 | 5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 7ca303ce7f976c70716e42115cec4958 |
| SHA1 | 1e2baa5394c6be10c33e9f9cff2e957335e03bf0 |
| SHA256 | 0ce080f5d391ead74906eda686117e19374d9cb696ae67d12d1792fa923938c3 |
| SHA512 | 5f40451c78d2d770deacc07d2491cab8bcd6985910d693b14eaa0467893df00ca5e31aa0ade497c267922acb8cc2b80d3a1a479c734ad5d795ad652bff56e2da |
memory/2604-119-0x00000000021C0000-0x00000000021C1000-memory.dmp
memory/2604-120-0x0000000002510000-0x0000000002910000-memory.dmp