Analysis
-
max time kernel
7s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
04-07-2023 15:00
Behavioral task
behavioral1
Sample
easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe
Resource
win10v2004-20230621-en
General
-
Target
easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe
-
Size
1014KB
-
MD5
b67d8ed6b48fcbd31781007252982551
-
SHA1
a02e384bd0287bb57048c14f7ca214b6a39e8b46
-
SHA256
de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a
-
SHA512
e6fbf9a82827424459523da9e82876a8ed251404222e8da5de5f577e8ab71270131c55c39f674e465a0c7e927144c93619097a6ef9682366a23cf3df9de2a590
-
SSDEEP
24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxo:7J5gEKNikf3hBfUiWxo
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 268 budha.exe -
Loads dropped DLL 1 IoCs
Processes:
easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exepid process 1312 easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe -
Processes:
resource yara_rule behavioral1/memory/1312-54-0x0000000000400000-0x0000000000410000-memory.dmp upx \Users\Admin\AppData\Local\Temp\budha.exe upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/1312-63-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/268-67-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exedescription pid process target process PID 1312 wrote to memory of 268 1312 easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe budha.exe PID 1312 wrote to memory of 268 1312 easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe budha.exe PID 1312 wrote to memory of 268 1312 easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe budha.exe PID 1312 wrote to memory of 268 1312 easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1014KB
MD51d2f98a26661957ac01dc3b18765de41
SHA1d70402987866f320c9546ecbcb8b9486b0cbecfd
SHA256ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1
SHA512aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597
-
Filesize
1014KB
MD51d2f98a26661957ac01dc3b18765de41
SHA1d70402987866f320c9546ecbcb8b9486b0cbecfd
SHA256ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1
SHA512aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597
-
Filesize
1014KB
MD51d2f98a26661957ac01dc3b18765de41
SHA1d70402987866f320c9546ecbcb8b9486b0cbecfd
SHA256ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1
SHA512aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597