Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
04-07-2023 15:04
Behavioral task
behavioral1
Sample
easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe
Resource
win10v2004-20230703-en
General
-
Target
easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe
-
Size
976KB
-
MD5
d0a434c9c2594e884ac81afaead9367e
-
SHA1
04f3913b886af8e8f0b2947526fa4e87243ba34b
-
SHA256
3fa1443cb3e841158b15c322d668c90c228ecd1b2fdbf1acd0ae18e4dc4035b2
-
SHA512
3c9d03b34b4c69d1f6a48fa90a3c0d7fe63e24a5f09643b1a26a7adcfef6dc42f30bdaadb5cc154cc6e6267bf1f535203dc76178948da85d7d2b9b967c7576d6
-
SSDEEP
24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxm:7J5gEKNikf3hBfUiWxm
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 3012 budha.exe -
Loads dropped DLL 1 IoCs
Processes:
easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exepid process 2256 easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/2256-60-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3012-62-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/3012-66-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exedescription pid process target process PID 2256 wrote to memory of 3012 2256 easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe budha.exe PID 2256 wrote to memory of 3012 2256 easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe budha.exe PID 2256 wrote to memory of 3012 2256 easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe budha.exe PID 2256 wrote to memory of 3012 2256 easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:3012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
976KB
MD5b64db9a955dff198c38c3f23ce0c7c62
SHA175b2221c4face4f33337899bba48f80425f0aeba
SHA2569b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA5123cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f
-
Filesize
976KB
MD5b64db9a955dff198c38c3f23ce0c7c62
SHA175b2221c4face4f33337899bba48f80425f0aeba
SHA2569b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA5123cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f
-
Filesize
976KB
MD5b64db9a955dff198c38c3f23ce0c7c62
SHA175b2221c4face4f33337899bba48f80425f0aeba
SHA2569b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA5123cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f