Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
04-07-2023 16:10
Behavioral task
behavioral1
Sample
easyMalicious05915c359b71.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
easyMalicious05915c359b71.exe
Resource
win10v2004-20230703-en
General
-
Target
easyMalicious05915c359b71.exe
-
Size
1014KB
-
MD5
b67d8ed6b48fcbd31781007252982551
-
SHA1
a02e384bd0287bb57048c14f7ca214b6a39e8b46
-
SHA256
de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a
-
SHA512
e6fbf9a82827424459523da9e82876a8ed251404222e8da5de5f577e8ab71270131c55c39f674e465a0c7e927144c93619097a6ef9682366a23cf3df9de2a590
-
SSDEEP
24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxo:7J5gEKNikf3hBfUiWxo
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 3000 budha.exe -
Loads dropped DLL 1 IoCs
Processes:
easyMalicious05915c359b71.exepid process 2256 easyMalicious05915c359b71.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/2256-60-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/3000-62-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
easyMalicious05915c359b71.exedescription pid process target process PID 2256 wrote to memory of 3000 2256 easyMalicious05915c359b71.exe budha.exe PID 2256 wrote to memory of 3000 2256 easyMalicious05915c359b71.exe budha.exe PID 2256 wrote to memory of 3000 2256 easyMalicious05915c359b71.exe budha.exe PID 2256 wrote to memory of 3000 2256 easyMalicious05915c359b71.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:3000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1014KB
MD5c5d49b191e9e45454f5d32087890875b
SHA198be5ba768b6a0757586de4eb50f5e4b7200643e
SHA2568e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645
-
Filesize
1014KB
MD5c5d49b191e9e45454f5d32087890875b
SHA198be5ba768b6a0757586de4eb50f5e4b7200643e
SHA2568e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645
-
Filesize
1014KB
MD5c5d49b191e9e45454f5d32087890875b
SHA198be5ba768b6a0757586de4eb50f5e4b7200643e
SHA2568e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645