Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2023 15:04

General

  • Target

    easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe

  • Size

    976KB

  • MD5

    d0a434c9c2594e884ac81afaead9367e

  • SHA1

    04f3913b886af8e8f0b2947526fa4e87243ba34b

  • SHA256

    3fa1443cb3e841158b15c322d668c90c228ecd1b2fdbf1acd0ae18e4dc4035b2

  • SHA512

    3c9d03b34b4c69d1f6a48fa90a3c0d7fe63e24a5f09643b1a26a7adcfef6dc42f30bdaadb5cc154cc6e6267bf1f535203dc76178948da85d7d2b9b967c7576d6

  • SSDEEP

    24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxm:7J5gEKNikf3hBfUiWxm

Score
10/10

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

  • AmmyyAdmin payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe
    "C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:3012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    976KB

    MD5

    b64db9a955dff198c38c3f23ce0c7c62

    SHA1

    75b2221c4face4f33337899bba48f80425f0aeba

    SHA256

    9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4

    SHA512

    3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    976KB

    MD5

    b64db9a955dff198c38c3f23ce0c7c62

    SHA1

    75b2221c4face4f33337899bba48f80425f0aeba

    SHA256

    9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4

    SHA512

    3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

  • \Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    976KB

    MD5

    b64db9a955dff198c38c3f23ce0c7c62

    SHA1

    75b2221c4face4f33337899bba48f80425f0aeba

    SHA256

    9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4

    SHA512

    3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

  • memory/2256-60-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2256-61-0x00000000027A0000-0x0000000002BA0000-memory.dmp

    Filesize

    4.0MB

  • memory/3012-62-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/3012-64-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

    Filesize

    4KB

  • memory/3012-65-0x0000000002790000-0x0000000002B90000-memory.dmp

    Filesize

    4.0MB

  • memory/3012-66-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB