Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-06-2023 03:49
Behavioral task
behavioral1
Sample
013ca1f42abe336c718924ec563d4940.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
013ca1f42abe336c718924ec563d4940.exe
Resource
win10v2004-20230220-en
General
-
Target
013ca1f42abe336c718924ec563d4940.exe
-
Size
1.2MB
-
MD5
013ca1f42abe336c718924ec563d4940
-
SHA1
84e668a7c73f0c635b24700324501c159763e31e
-
SHA256
54d3ec484dcfbddbd483a9ffb4f661a0d895860485e450cbb70f63bb92742321
-
SHA512
fea01cbc2336386f22c96c69baaeed6bb5f573d959da4a1ecd8ebca2cdebf3a8b6a3b53d73f08436e27095badf6db80e436295305d968acd1805e6d55d888ba0
-
SSDEEP
24576:KMjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxkkSTYuwzEcXUjhDr39X:XJ5gEKNikf3hBfUiWxkkSbwzEcEhDj9X
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 1892 budha.exe -
Loads dropped DLL 1 IoCs
Processes:
013ca1f42abe336c718924ec563d4940.exepid process 1580 013ca1f42abe336c718924ec563d4940.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
013ca1f42abe336c718924ec563d4940.exedescription pid process target process PID 1580 wrote to memory of 1892 1580 013ca1f42abe336c718924ec563d4940.exe budha.exe PID 1580 wrote to memory of 1892 1580 013ca1f42abe336c718924ec563d4940.exe budha.exe PID 1580 wrote to memory of 1892 1580 013ca1f42abe336c718924ec563d4940.exe budha.exe PID 1580 wrote to memory of 1892 1580 013ca1f42abe336c718924ec563d4940.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\013ca1f42abe336c718924ec563d4940.exe"C:\Users\Admin\AppData\Local\Temp\013ca1f42abe336c718924ec563d4940.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:1892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fe1ce0164b6070e52c13334031f37e94
SHA1b80cf887577a4ea7adf08dd1c9211c87eac3cb33
SHA2565d14ff09c158093085e79d4ce63c9cd6a7fee061db94142a92535264c5a2f547
SHA5121959363e5473a7ba2baf868b89228749add6c0e1e82414291a32eea97d0490f6fd2adfcbd9be02f5763f874de6d273d75821471065b86e35ed49ad4749a0a3a5
-
Filesize
1.2MB
MD5fe1ce0164b6070e52c13334031f37e94
SHA1b80cf887577a4ea7adf08dd1c9211c87eac3cb33
SHA2565d14ff09c158093085e79d4ce63c9cd6a7fee061db94142a92535264c5a2f547
SHA5121959363e5473a7ba2baf868b89228749add6c0e1e82414291a32eea97d0490f6fd2adfcbd9be02f5763f874de6d273d75821471065b86e35ed49ad4749a0a3a5
-
Filesize
1.2MB
MD5fe1ce0164b6070e52c13334031f37e94
SHA1b80cf887577a4ea7adf08dd1c9211c87eac3cb33
SHA2565d14ff09c158093085e79d4ce63c9cd6a7fee061db94142a92535264c5a2f547
SHA5121959363e5473a7ba2baf868b89228749add6c0e1e82414291a32eea97d0490f6fd2adfcbd9be02f5763f874de6d273d75821471065b86e35ed49ad4749a0a3a5