Malware Analysis Report

2024-10-24 20:57

Sample ID 230704-sfkmbafh41
Target easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe
SHA256 3fa1443cb3e841158b15c322d668c90c228ecd1b2fdbf1acd0ae18e4dc4035b2
Tags
upx ammyyadmin rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fa1443cb3e841158b15c322d668c90c228ecd1b2fdbf1acd0ae18e4dc4035b2

Threat Level: Known bad

The file easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe was found to be: Known bad.

Malicious Activity Summary

upx ammyyadmin rat

AmmyyAdmin payload

Ammyyadmin family

Ammyy Admin

UPX packed file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-04 15:04

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-04 15:04

Reported

2023-07-04 15:06

Platform

win7-20230703-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe

"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 tcp

Files

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b64db9a955dff198c38c3f23ce0c7c62
SHA1 75b2221c4face4f33337899bba48f80425f0aeba
SHA256 9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA512 3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b64db9a955dff198c38c3f23ce0c7c62
SHA1 75b2221c4face4f33337899bba48f80425f0aeba
SHA256 9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA512 3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

memory/2256-60-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2256-61-0x00000000027A0000-0x0000000002BA0000-memory.dmp

memory/3012-62-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b64db9a955dff198c38c3f23ce0c7c62
SHA1 75b2221c4face4f33337899bba48f80425f0aeba
SHA256 9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA512 3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

memory/3012-64-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

memory/3012-65-0x0000000002790000-0x0000000002B90000-memory.dmp

memory/3012-66-0x0000000000400000-0x0000000000410000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-04 15:04

Reported

2023-07-04 15:06

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe

"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_33318a1424a05487a0b1b864608be9b6acd1c4320ef98dbfd30b41145e2485b3.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 maitikio.com udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp

Files

memory/3060-133-0x0000000000400000-0x0000000000410000-memory.dmp

memory/3060-134-0x00000000004C0000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b64db9a955dff198c38c3f23ce0c7c62
SHA1 75b2221c4face4f33337899bba48f80425f0aeba
SHA256 9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA512 3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b64db9a955dff198c38c3f23ce0c7c62
SHA1 75b2221c4face4f33337899bba48f80425f0aeba
SHA256 9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA512 3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 b64db9a955dff198c38c3f23ce0c7c62
SHA1 75b2221c4face4f33337899bba48f80425f0aeba
SHA256 9b81a678855fa60984d4821a6735d1b86c596605f2e7ceaeb8650802eb53f6d4
SHA512 3cdeca679fa1c29a7ca6bc0aa5bb81869f81fd521b8cd840e3faf7440e11555e92b42985bbf596ae29f7a42030dca53f28132df42a630047065d49b934ef843f

memory/3060-143-0x00000000026B0000-0x0000000002AB0000-memory.dmp

memory/948-144-0x0000000002280000-0x0000000002281000-memory.dmp

memory/948-145-0x00000000025D0000-0x00000000029D0000-memory.dmp

memory/948-146-0x0000000000400000-0x0000000000410000-memory.dmp