Malware Analysis Report

2024-10-24 20:57

Sample ID 230704-sdggwaec34
Target easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe
SHA256 de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a
Tags
upx ammyyadmin rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a

Threat Level: Known bad

The file easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe was found to be: Known bad.

Malicious Activity Summary

upx ammyyadmin rat

Ammyy Admin

AmmyyAdmin payload

Ammyyadmin family

Executes dropped EXE

UPX packed file

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-04 15:00

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-04 15:00

Reported

2023-07-04 15:03

Platform

win7-20230621-en

Max time kernel

7s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe

"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

N/A

Files

memory/1312-54-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1312-56-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

memory/1312-57-0x00000000028B0000-0x0000000002CB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 1d2f98a26661957ac01dc3b18765de41
SHA1 d70402987866f320c9546ecbcb8b9486b0cbecfd
SHA256 ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1
SHA512 aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 1d2f98a26661957ac01dc3b18765de41
SHA1 d70402987866f320c9546ecbcb8b9486b0cbecfd
SHA256 ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1
SHA512 aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597

memory/1312-63-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 1d2f98a26661957ac01dc3b18765de41
SHA1 d70402987866f320c9546ecbcb8b9486b0cbecfd
SHA256 ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1
SHA512 aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597

memory/268-65-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

memory/268-66-0x00000000027E0000-0x0000000002BE0000-memory.dmp

memory/268-67-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-04 15:00

Reported

2023-07-04 15:03

Platform

win10v2004-20230621-en

Max time kernel

11s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe

"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3420-133-0x0000000000400000-0x0000000000410000-memory.dmp