Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
04-07-2023 16:10
Behavioral task
behavioral1
Sample
easyMalicious05d418023a1f.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
easyMalicious05d418023a1f.exe
Resource
win10v2004-20230703-en
General
-
Target
easyMalicious05d418023a1f.exe
-
Size
1013KB
-
MD5
20ccff9fe7e559f00672bb32f5f05dd6
-
SHA1
9f57ec4334cf336853ddbfba912ed3b32d05a69e
-
SHA256
cf84b3618117d23efa8f6bdb0b7934c6d920e52723580c44866fdaf31148f75e
-
SHA512
50eee511d87b2e091e9b8e1cd87bce1fd6805b73ea3b9c8c25876f6afae275564aa535ce7de2db0976c88fea02d09f4732eac3929b6077cbf51e4494334c8680
-
SSDEEP
24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxV:7J5gEKNikf3hBfUiWxV
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin \Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 1748 budha.exe -
Loads dropped DLL 1 IoCs
Processes:
easyMalicious05d418023a1f.exepid process 2212 easyMalicious05d418023a1f.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\budha.exe upx \Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/2212-60-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/1748-62-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/1748-66-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
easyMalicious05d418023a1f.exedescription pid process target process PID 2212 wrote to memory of 1748 2212 easyMalicious05d418023a1f.exe budha.exe PID 2212 wrote to memory of 1748 2212 easyMalicious05d418023a1f.exe budha.exe PID 2212 wrote to memory of 1748 2212 easyMalicious05d418023a1f.exe budha.exe PID 2212 wrote to memory of 1748 2212 easyMalicious05d418023a1f.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\easyMalicious05d418023a1f.exe"C:\Users\Admin\AppData\Local\Temp\easyMalicious05d418023a1f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:1748
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1013KB
MD529827ff9649a5b6d8d9bc725c1dd181d
SHA1ae1a9438e8d7340b16904a166415d0cc41063423
SHA256694e274ea5f8b974aa5e0c714685ad28b3966a7fdebb9b2c4fe9f08487165571
SHA512dbfedccc5342ea872b8962c6f4ce60e48700b531a172c25f2f19334e665bccff654861b33958ce95664a8cdb2c0395064993c04ee5bdf17c040926584bddc204
-
Filesize
1013KB
MD529827ff9649a5b6d8d9bc725c1dd181d
SHA1ae1a9438e8d7340b16904a166415d0cc41063423
SHA256694e274ea5f8b974aa5e0c714685ad28b3966a7fdebb9b2c4fe9f08487165571
SHA512dbfedccc5342ea872b8962c6f4ce60e48700b531a172c25f2f19334e665bccff654861b33958ce95664a8cdb2c0395064993c04ee5bdf17c040926584bddc204
-
Filesize
1013KB
MD529827ff9649a5b6d8d9bc725c1dd181d
SHA1ae1a9438e8d7340b16904a166415d0cc41063423
SHA256694e274ea5f8b974aa5e0c714685ad28b3966a7fdebb9b2c4fe9f08487165571
SHA512dbfedccc5342ea872b8962c6f4ce60e48700b531a172c25f2f19334e665bccff654861b33958ce95664a8cdb2c0395064993c04ee5bdf17c040926584bddc204