Analysis

  • max time kernel
    7s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2023 15:00

General

  • Target

    easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe

  • Size

    1014KB

  • MD5

    b67d8ed6b48fcbd31781007252982551

  • SHA1

    a02e384bd0287bb57048c14f7ca214b6a39e8b46

  • SHA256

    de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a

  • SHA512

    e6fbf9a82827424459523da9e82876a8ed251404222e8da5de5f577e8ab71270131c55c39f674e465a0c7e927144c93619097a6ef9682366a23cf3df9de2a590

  • SSDEEP

    24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxo:7J5gEKNikf3hBfUiWxo

Score
10/10

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

  • AmmyyAdmin payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe
    "C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:268

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1014KB

    MD5

    1d2f98a26661957ac01dc3b18765de41

    SHA1

    d70402987866f320c9546ecbcb8b9486b0cbecfd

    SHA256

    ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1

    SHA512

    aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1014KB

    MD5

    1d2f98a26661957ac01dc3b18765de41

    SHA1

    d70402987866f320c9546ecbcb8b9486b0cbecfd

    SHA256

    ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1

    SHA512

    aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597

  • \Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1014KB

    MD5

    1d2f98a26661957ac01dc3b18765de41

    SHA1

    d70402987866f320c9546ecbcb8b9486b0cbecfd

    SHA256

    ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1

    SHA512

    aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597

  • memory/268-65-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

    Filesize

    4KB

  • memory/268-66-0x00000000027E0000-0x0000000002BE0000-memory.dmp

    Filesize

    4.0MB

  • memory/268-67-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/1312-54-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/1312-56-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

    Filesize

    4KB

  • memory/1312-57-0x00000000028B0000-0x0000000002CB0000-memory.dmp

    Filesize

    4.0MB

  • memory/1312-63-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB