Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2023 16:10

General

  • Target

    easyMalicious05915c359b71.exe

  • Size

    1014KB

  • MD5

    b67d8ed6b48fcbd31781007252982551

  • SHA1

    a02e384bd0287bb57048c14f7ca214b6a39e8b46

  • SHA256

    de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a

  • SHA512

    e6fbf9a82827424459523da9e82876a8ed251404222e8da5de5f577e8ab71270131c55c39f674e465a0c7e927144c93619097a6ef9682366a23cf3df9de2a590

  • SSDEEP

    24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxo:7J5gEKNikf3hBfUiWxo

Score
10/10

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

  • AmmyyAdmin payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe
    "C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\budha.exe
      "C:\Users\Admin\AppData\Local\Temp\budha.exe"
      2⤵
      • Executes dropped EXE
      PID:1416

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1014KB

    MD5

    c5d49b191e9e45454f5d32087890875b

    SHA1

    98be5ba768b6a0757586de4eb50f5e4b7200643e

    SHA256

    8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302

    SHA512

    a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1014KB

    MD5

    c5d49b191e9e45454f5d32087890875b

    SHA1

    98be5ba768b6a0757586de4eb50f5e4b7200643e

    SHA256

    8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302

    SHA512

    a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

  • C:\Users\Admin\AppData\Local\Temp\budha.exe

    Filesize

    1014KB

    MD5

    c5d49b191e9e45454f5d32087890875b

    SHA1

    98be5ba768b6a0757586de4eb50f5e4b7200643e

    SHA256

    8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302

    SHA512

    a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

  • memory/1416-145-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/1416-146-0x0000000002100000-0x0000000002101000-memory.dmp

    Filesize

    4KB

  • memory/1416-147-0x0000000002550000-0x0000000002950000-memory.dmp

    Filesize

    4.0MB

  • memory/1416-148-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2672-133-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2672-142-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

  • memory/2672-143-0x0000000002110000-0x0000000002111000-memory.dmp

    Filesize

    4KB

  • memory/2672-144-0x00000000025B0000-0x00000000029B0000-memory.dmp

    Filesize

    4.0MB