Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2023 16:53
Behavioral task
behavioral1
Sample
easyMalicious29df40b3ae82.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
easyMalicious29df40b3ae82.exe
Resource
win10v2004-20230703-en
General
-
Target
easyMalicious29df40b3ae82.exe
-
Size
975KB
-
MD5
0b35a4c01a9f482505d6c8dc4f8a8267
-
SHA1
d9946541f50c33b11c119ba4f8cbfc2a2cb49146
-
SHA256
7d63cac8bc83fb31807b5446b8aa210ad532b608cbf09f1dfc580008b33281b8
-
SHA512
f5fcf4b29b3cf9524a4795654ad0bb016caea5e9f4f05e878c6eb5c4cacae625c0d75e012022f3db1f53d12e30434e00700cebc483328a16fdeaf5127e17d90f
-
SSDEEP
24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxy:7J5gEKNikf3hBfUiWxy
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\budha.exe family_ammyyadmin -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
easyMalicious29df40b3ae82.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation easyMalicious29df40b3ae82.exe -
Executes dropped EXE 1 IoCs
Processes:
budha.exepid process 3016 budha.exe -
Processes:
resource yara_rule behavioral2/memory/972-133-0x0000000000400000-0x0000000000410000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx C:\Users\Admin\AppData\Local\Temp\budha.exe upx behavioral2/memory/972-142-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral2/memory/3016-146-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
easyMalicious29df40b3ae82.exedescription pid process target process PID 972 wrote to memory of 3016 972 easyMalicious29df40b3ae82.exe budha.exe PID 972 wrote to memory of 3016 972 easyMalicious29df40b3ae82.exe budha.exe PID 972 wrote to memory of 3016 972 easyMalicious29df40b3ae82.exe budha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\easyMalicious29df40b3ae82.exe"C:\Users\Admin\AppData\Local\Temp\easyMalicious29df40b3ae82.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Users\Admin\AppData\Local\Temp\budha.exe"C:\Users\Admin\AppData\Local\Temp\budha.exe"2⤵
- Executes dropped EXE
PID:3016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
976KB
MD5754464834068129cd5e3cff3534d3f3b
SHA153d523f90d16dae8b5919c0ee20f891a68c97c2c
SHA256c753cfed7c2a6fa32e7962a0d3009266b1476d7b6450f30711c77e81803abb76
SHA512b7fb2cbd8e017bf21e6ca9670027600779de25b77bacae98dc8d338c26f1d69a0bfcfa941dd661aa67ca0367ccd00f48ce794ad051b4284a19679b0b2bc6d599
-
Filesize
976KB
MD5754464834068129cd5e3cff3534d3f3b
SHA153d523f90d16dae8b5919c0ee20f891a68c97c2c
SHA256c753cfed7c2a6fa32e7962a0d3009266b1476d7b6450f30711c77e81803abb76
SHA512b7fb2cbd8e017bf21e6ca9670027600779de25b77bacae98dc8d338c26f1d69a0bfcfa941dd661aa67ca0367ccd00f48ce794ad051b4284a19679b0b2bc6d599
-
Filesize
976KB
MD5754464834068129cd5e3cff3534d3f3b
SHA153d523f90d16dae8b5919c0ee20f891a68c97c2c
SHA256c753cfed7c2a6fa32e7962a0d3009266b1476d7b6450f30711c77e81803abb76
SHA512b7fb2cbd8e017bf21e6ca9670027600779de25b77bacae98dc8d338c26f1d69a0bfcfa941dd661aa67ca0367ccd00f48ce794ad051b4284a19679b0b2bc6d599