Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2023 15:04

General

  • Target

    easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe

  • Size

    976KB

  • MD5

    d0a434c9c2594e884ac81afaead9367e

  • SHA1

    04f3913b886af8e8f0b2947526fa4e87243ba34b

  • SHA256

    3fa1443cb3e841158b15c322d668c90c228ecd1b2fdbf1acd0ae18e4dc4035b2

  • SHA512

    3c9d03b34b4c69d1f6a48fa90a3c0d7fe63e24a5f09643b1a26a7adcfef6dc42f30bdaadb5cc154cc6e6267bf1f535203dc76178948da85d7d2b9b967c7576d6

  • SSDEEP

    24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxm:7J5gEKNikf3hBfUiWxm

Score
10/10

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

  • AmmyyAdmin payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe
    "C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    976KB

    MD5

    b64db9a955dff198c38c3f23ce0c7c62

    SHA1

    75b2221c4face4f33337899bba48f80425f0aeba

    SHA256

    9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4

    SHA512

    3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    976KB

    MD5

    b64db9a955dff198c38c3f23ce0c7c62

    SHA1

    75b2221c4face4f33337899bba48f80425f0aeba

    SHA256

    9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4

    SHA512

    3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    976KB

    MD5

    b64db9a955dff198c38c3f23ce0c7c62

    SHA1

    75b2221c4face4f33337899bba48f80425f0aeba

    SHA256

    9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4

    SHA512

    3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

  • memory/948-144-0x0000000002280000-0x0000000002281000-memory.dmp

    Filesize

    4KB

  • memory/948-145-0x00000000025D0000-0x00000000029D0000-memory.dmp

    Filesize

    4.0MB

  • memory/948-146-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/3060-133-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/3060-134-0x00000000004C0000-0x00000000004C1000-memory.dmp

    Filesize

    4KB

  • memory/3060-143-0x00000000026B0000-0x0000000002AB0000-memory.dmp

    Filesize

    4.0MB