Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
04-07-2023 16:53
Behavioral task
behavioral1
Sample
easyMalicious29df40b3ae82.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
easyMalicious29df40b3ae82.exe
Resource
win10v2004-20230703-en
General
-
Target
easyMalicious29df40b3ae82.exe
-
Size
975KB
-
MD5
0b35a4c01a9f482505d6c8dc4f8a8267
-
SHA1
d9946541f50c33b11c119ba4f8cbfc2a2cb49146
-
SHA256
7d63cac8bc83fb31807b5446b8aa210ad532b608cbf09f1dfc580008b33281b8
-
SHA512
f5fcf4b29b3cf9524a4795654ad0bb016caea5e9f4f05e878c6eb5c4cacae625c0d75e012022f3db1f53d12e30434e00700cebc483328a16fdeaf5127e17d90f
-
SSDEEP
24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxy:7J5gEKNikf3hBfUiWxy
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 2332 budha.exe -
Loads dropped DLL 1 IoCs
Processes:
easyMalicious29df40b3ae82.exepid process 3064 easyMalicious29df40b3ae82.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\budha.exe upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/3064-60-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2332-62-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral1/memory/2332-67-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
easyMalicious29df40b3ae82.exedescription pid process target process PID 3064 wrote to memory of 2332 3064 easyMalicious29df40b3ae82.exe budha.exe PID 3064 wrote to memory of 2332 3064 easyMalicious29df40b3ae82.exe budha.exe PID 3064 wrote to memory of 2332 3064 easyMalicious29df40b3ae82.exe budha.exe PID 3064 wrote to memory of 2332 3064 easyMalicious29df40b3ae82.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\easyMalicious29df40b3ae82.exe"C:\Users\Admin\AppData\Local\Temp\easyMalicious29df40b3ae82.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:2332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
976KB
MD5754464834068129cd5e3cff3534d3f3b
SHA153d523f90d16dae8b5919c0ee20f891a68c97c2c
SHA256c753cfed7c2a6fa32e7962a0d3009266b1476d7b6450f30711c77e81803abb76
SHA512b7fb2cbd8e017bf21e6ca9670027600779de25b77bacae98dc8d338c26f1d69a0bfcfa941dd661aa67ca0367ccd00f48ce794ad051b4284a19679b0b2bc6d599
-
Filesize
976KB
MD5754464834068129cd5e3cff3534d3f3b
SHA153d523f90d16dae8b5919c0ee20f891a68c97c2c
SHA256c753cfed7c2a6fa32e7962a0d3009266b1476d7b6450f30711c77e81803abb76
SHA512b7fb2cbd8e017bf21e6ca9670027600779de25b77bacae98dc8d338c26f1d69a0bfcfa941dd661aa67ca0367ccd00f48ce794ad051b4284a19679b0b2bc6d599
-
Filesize
976KB
MD5754464834068129cd5e3cff3534d3f3b
SHA153d523f90d16dae8b5919c0ee20f891a68c97c2c
SHA256c753cfed7c2a6fa32e7962a0d3009266b1476d7b6450f30711c77e81803abb76
SHA512b7fb2cbd8e017bf21e6ca9670027600779de25b77bacae98dc8d338c26f1d69a0bfcfa941dd661aa67ca0367ccd00f48ce794ad051b4284a19679b0b2bc6d599