Analysis Overview
SHA256
79b49c1b60646599b5a8cec19c5e6445ae6adc1055ff371b6c98d6a903018f7f
Threat Level: Known bad
The file NEAS.e281e8637defc7b17c2946e460b81460.exe was found to be: Known bad.
Malicious Activity Summary
Ammyy Admin
AmmyyAdmin payload
Ammyyadmin family
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-25 21:59
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-25 21:59
Reported
2023-10-25 22:01
Platform
win7-20231023-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2864 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2864 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2864 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2864 wrote to memory of 2784 | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| IE | 52.213.114.86:443 | maitikio.com | tcp |
| IE | 52.213.114.86:443 | maitikio.com | tcp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| IE | 52.213.114.86:443 | maitikio.com | tcp |
| IE | 52.213.114.86:443 | maitikio.com | tcp |
| IE | 52.213.114.86:443 | maitikio.com | tcp |
| IE | 52.213.114.86:443 | maitikio.com | tcp |
| IE | 52.213.114.86:443 | maitikio.com | tcp |
Files
memory/2864-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2864-1-0x0000000001DD0000-0x0000000001DD1000-memory.dmp
memory/2864-3-0x0000000002740000-0x0000000002B40000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | aebf5c30243485e217f70b578bdbb718 |
| SHA1 | e3e175a2f93b23cae28393a56a45b80575e6fefd |
| SHA256 | 8a7b3c8ee6c095ebec8244a6393f11b847df79fb7b88100ea3a946007a8a307e |
| SHA512 | da03ea11502beb6b32c64ab9a138038160f286700bdb4830f5342a0b73866f65bf6ee7649815821e5267b432e903883c5cd73a51e46ff4eaf5a5fe732571fcbb |
memory/2864-7-0x0000000002E50000-0x0000000002E5A000-memory.dmp
memory/2864-10-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2784-11-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | aebf5c30243485e217f70b578bdbb718 |
| SHA1 | e3e175a2f93b23cae28393a56a45b80575e6fefd |
| SHA256 | 8a7b3c8ee6c095ebec8244a6393f11b847df79fb7b88100ea3a946007a8a307e |
| SHA512 | da03ea11502beb6b32c64ab9a138038160f286700bdb4830f5342a0b73866f65bf6ee7649815821e5267b432e903883c5cd73a51e46ff4eaf5a5fe732571fcbb |
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | aebf5c30243485e217f70b578bdbb718 |
| SHA1 | e3e175a2f93b23cae28393a56a45b80575e6fefd |
| SHA256 | 8a7b3c8ee6c095ebec8244a6393f11b847df79fb7b88100ea3a946007a8a307e |
| SHA512 | da03ea11502beb6b32c64ab9a138038160f286700bdb4830f5342a0b73866f65bf6ee7649815821e5267b432e903883c5cd73a51e46ff4eaf5a5fe732571fcbb |
memory/2784-13-0x0000000001EC0000-0x0000000001EC1000-memory.dmp
memory/2784-14-0x00000000027B0000-0x0000000002BB0000-memory.dmp
memory/2784-15-0x0000000000400000-0x000000000040A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-25 21:59
Reported
2023-10-25 22:09
Platform
win10v2004-20231023-en
Max time kernel
1s
Max time network
7s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe"
Network
Files
memory/1516-0-0x0000000000400000-0x000000000040A000-memory.dmp