Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2023 16:10
Behavioral task
behavioral1
Sample
easyMalicious05915c359b71.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
easyMalicious05915c359b71.exe
Resource
win10v2004-20230703-en
General
-
Target
easyMalicious05915c359b71.exe
-
Size
1014KB
-
MD5
b67d8ed6b48fcbd31781007252982551
-
SHA1
a02e384bd0287bb57048c14f7ca214b6a39e8b46
-
SHA256
de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a
-
SHA512
e6fbf9a82827424459523da9e82876a8ed251404222e8da5de5f577e8ab71270131c55c39f674e465a0c7e927144c93619097a6ef9682366a23cf3df9de2a590
-
SSDEEP
24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxo:7J5gEKNikf3hBfUiWxo
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
easyMalicious05915c359b71.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation easyMalicious05915c359b71.exe -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 1416 budha.exe -
Processes:
resource yara_rule behavioral2/memory/2672-133-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral2/memory/2672-142-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1416-145-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/1416-148-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
easyMalicious05915c359b71.exedescription pid process target process PID 2672 wrote to memory of 1416 2672 easyMalicious05915c359b71.exe budha.exe PID 2672 wrote to memory of 1416 2672 easyMalicious05915c359b71.exe budha.exe PID 2672 wrote to memory of 1416 2672 easyMalicious05915c359b71.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:1416
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1014KB
MD5c5d49b191e9e45454f5d32087890875b
SHA198be5ba768b6a0757586de4eb50f5e4b7200643e
SHA2568e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645
-
Filesize
1014KB
MD5c5d49b191e9e45454f5d32087890875b
SHA198be5ba768b6a0757586de4eb50f5e4b7200643e
SHA2568e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645
-
Filesize
1014KB
MD5c5d49b191e9e45454f5d32087890875b
SHA198be5ba768b6a0757586de4eb50f5e4b7200643e
SHA2568e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645