Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2023 03:49

General

  • Target

    013ca1f42abe336c718924ec563d4940.exe

  • Size

    1.2MB

  • MD5

    013ca1f42abe336c718924ec563d4940

  • SHA1

    84e668a7c73f0c635b24700324501c159763e31e

  • SHA256

    54d3ec484dcfbddbd483a9ffb4f661a0d895860485e450cbb70f63bb92742321

  • SHA512

    fea01cbc2336386f22c96c69baaeed6bb5f573d959da4a1ecd8ebca2cdebf3a8b6a3b53d73f08436e27095badf6db80e436295305d968acd1805e6d55d888ba0

  • SSDEEP

    24576:KMjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxkkSTYuwzEcXUjhDr39X:XJ5gEKNikf3hBfUiWxkkSbwzEcEhDj9X

Score
10/10

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

  • AmmyyAdmin payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\013ca1f42abe336c718924ec563d4940.exe
    "C:\Users\Admin\AppData\Local\Temp\013ca1f42abe336c718924ec563d4940.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:2140

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1.2MB

    MD5

    fe1ce0164b6070e52c13334031f37e94

    SHA1

    b80cf887577a4ea7adf08dd1c9211c87eac3cb33

    SHA256

    5d14ff09c158093085e79d4ce63c9cd6a7fee061db94142a92535264c5a2f547

    SHA512

    1959363e5473a7ba2baf868b89228749add6c0e1e82414291a32eea97d0490f6fd2adfcbd9be02f5763f874de6d273d75821471065b86e35ed49ad4749a0a3a5

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1.2MB

    MD5

    fe1ce0164b6070e52c13334031f37e94

    SHA1

    b80cf887577a4ea7adf08dd1c9211c87eac3cb33

    SHA256

    5d14ff09c158093085e79d4ce63c9cd6a7fee061db94142a92535264c5a2f547

    SHA512

    1959363e5473a7ba2baf868b89228749add6c0e1e82414291a32eea97d0490f6fd2adfcbd9be02f5763f874de6d273d75821471065b86e35ed49ad4749a0a3a5

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1.2MB

    MD5

    fe1ce0164b6070e52c13334031f37e94

    SHA1

    b80cf887577a4ea7adf08dd1c9211c87eac3cb33

    SHA256

    5d14ff09c158093085e79d4ce63c9cd6a7fee061db94142a92535264c5a2f547

    SHA512

    1959363e5473a7ba2baf868b89228749add6c0e1e82414291a32eea97d0490f6fd2adfcbd9be02f5763f874de6d273d75821471065b86e35ed49ad4749a0a3a5

  • memory/2140-145-0x0000000000430000-0x0000000000431000-memory.dmp

    Filesize

    4KB

  • memory/2140-146-0x0000000002580000-0x0000000002980000-memory.dmp

    Filesize

    4.0MB

  • memory/2140-147-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/3148-133-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/3148-135-0x0000000002400000-0x0000000002401000-memory.dmp

    Filesize

    4KB

  • memory/3148-136-0x0000000002750000-0x0000000002B50000-memory.dmp

    Filesize

    4.0MB

  • memory/3148-144-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB