Analysis Overview
SHA256
de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a
Threat Level: Known bad
The file easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe was found to be: Known bad.
Malicious Activity Summary
Ammyy Admin
AmmyyAdmin payload
Ammyyadmin family
Executes dropped EXE
UPX packed file
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-04 15:00
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-04 15:00
Reported
2023-07-04 15:03
Platform
win7-20230621-en
Max time kernel
7s
Max time network
21s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1312 wrote to memory of 268 | N/A | C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1312 wrote to memory of 268 | N/A | C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1312 wrote to memory of 268 | N/A | C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 1312 wrote to memory of 268 | N/A | C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
Files
memory/1312-54-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1312-56-0x0000000001DA0000-0x0000000001DA1000-memory.dmp
memory/1312-57-0x00000000028B0000-0x0000000002CB0000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 1d2f98a26661957ac01dc3b18765de41 |
| SHA1 | d70402987866f320c9546ecbcb8b9486b0cbecfd |
| SHA256 | ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1 |
| SHA512 | aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597 |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 1d2f98a26661957ac01dc3b18765de41 |
| SHA1 | d70402987866f320c9546ecbcb8b9486b0cbecfd |
| SHA256 | ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1 |
| SHA512 | aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597 |
memory/1312-63-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 1d2f98a26661957ac01dc3b18765de41 |
| SHA1 | d70402987866f320c9546ecbcb8b9486b0cbecfd |
| SHA256 | ca66868a37d3e45858857a5d9324e1da53061e798745e8edc1aab97b7944b4e1 |
| SHA512 | aa91885afb7123d51e77d0fa48d992d657afdcfa1c13e7d55be321d46062692fff054e917fdf401a2a20c2304e0b6375ca2085ca4de014c68e9c67ae4d6f0597 |
memory/268-65-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
memory/268-66-0x00000000027E0000-0x0000000002BE0000-memory.dmp
memory/268-67-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-04 15:00
Reported
2023-07-04 15:03
Platform
win10v2004-20230621-en
Max time kernel
11s
Max time network
19s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_05915c359b714cea29f4b19b394391cedf1132935c27f1cfbace657e16823233.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
Files
memory/3420-133-0x0000000000400000-0x0000000000410000-memory.dmp