Malware Analysis Report

2024-10-24 20:57

Sample ID 230704-tmk24afb58
Target easyMalicious05915c359b71.exe
SHA256 de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a
Tags
upx ammyyadmin rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de17dc323729d9181c740ead7e5fdce10afd5afbf58d991353d02d6b268f001a

Threat Level: Known bad

The file easyMalicious05915c359b71.exe was found to be: Known bad.

Malicious Activity Summary

upx ammyyadmin rat

AmmyyAdmin payload

Ammyyadmin family

Ammyy Admin

UPX packed file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-04 16:10

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-04 16:10

Reported

2023-07-04 16:13

Platform

win7-20230703-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe

"C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 192.229.211.108:80 tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp

Files

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 c5d49b191e9e45454f5d32087890875b
SHA1 98be5ba768b6a0757586de4eb50f5e4b7200643e
SHA256 8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512 a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 c5d49b191e9e45454f5d32087890875b
SHA1 98be5ba768b6a0757586de4eb50f5e4b7200643e
SHA256 8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512 a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

memory/2256-60-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2256-61-0x0000000002750000-0x0000000002B50000-memory.dmp

memory/3000-62-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 c5d49b191e9e45454f5d32087890875b
SHA1 98be5ba768b6a0757586de4eb50f5e4b7200643e
SHA256 8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512 a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

memory/3000-64-0x0000000000390000-0x0000000000391000-memory.dmp

memory/3000-65-0x0000000002700000-0x0000000002B00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-04 16:10

Reported

2023-07-04 16:13

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe

"C:\Users\Admin\AppData\Local\Temp\easyMalicious05915c359b71.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.129.241.8.in-addr.arpa udp
US 8.8.8.8:53 maitikio.com udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp
HK 154.80.193.194:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
HK 154.80.193.194:443 maitikio.com tcp

Files

memory/2672-133-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 c5d49b191e9e45454f5d32087890875b
SHA1 98be5ba768b6a0757586de4eb50f5e4b7200643e
SHA256 8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512 a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 c5d49b191e9e45454f5d32087890875b
SHA1 98be5ba768b6a0757586de4eb50f5e4b7200643e
SHA256 8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512 a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 c5d49b191e9e45454f5d32087890875b
SHA1 98be5ba768b6a0757586de4eb50f5e4b7200643e
SHA256 8e967398f03c65281a3a95df6c7c02279440cc7683285e867f60a80a518fb302
SHA512 a3ce5046afaa19e695cba7485b10af039957f082b251f9b88d9f1bea740e743cd2be9fe5f7862b9a5c6d243971aab5698e7b5691339bd9a01229c4088ea03645

memory/2672-142-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2672-143-0x0000000002110000-0x0000000002111000-memory.dmp

memory/2672-144-0x00000000025B0000-0x00000000029B0000-memory.dmp

memory/1416-145-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1416-146-0x0000000002100000-0x0000000002101000-memory.dmp

memory/1416-147-0x0000000002550000-0x0000000002950000-memory.dmp

memory/1416-148-0x0000000000400000-0x0000000000410000-memory.dmp