Malware Analysis Report

2024-10-16 05:12

Sample ID 231025-1v3ensgh5v
Target NEAS.e281e8637defc7b17c2946e460b81460.exe
SHA256 79b49c1b60646599b5a8cec19c5e6445ae6adc1055ff371b6c98d6a903018f7f
Tags
ammyyadmin rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79b49c1b60646599b5a8cec19c5e6445ae6adc1055ff371b6c98d6a903018f7f

Threat Level: Known bad

The file NEAS.e281e8637defc7b17c2946e460b81460.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin rat

Ammyy Admin

AmmyyAdmin payload

Ammyyadmin family

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 21:59

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 21:59

Reported

2023-10-25 22:01

Platform

win7-20231023-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
IE 52.213.114.86:443 maitikio.com tcp
IE 52.213.114.86:443 maitikio.com tcp
US 8.8.8.8:53 cry-havok.org udp
IE 52.213.114.86:443 maitikio.com tcp
IE 52.213.114.86:443 maitikio.com tcp
IE 52.213.114.86:443 maitikio.com tcp
IE 52.213.114.86:443 maitikio.com tcp
IE 52.213.114.86:443 maitikio.com tcp

Files

memory/2864-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2864-1-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

memory/2864-3-0x0000000002740000-0x0000000002B40000-memory.dmp

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 aebf5c30243485e217f70b578bdbb718
SHA1 e3e175a2f93b23cae28393a56a45b80575e6fefd
SHA256 8a7b3c8ee6c095ebec8244a6393f11b847df79fb7b88100ea3a946007a8a307e
SHA512 da03ea11502beb6b32c64ab9a138038160f286700bdb4830f5342a0b73866f65bf6ee7649815821e5267b432e903883c5cd73a51e46ff4eaf5a5fe732571fcbb

memory/2864-7-0x0000000002E50000-0x0000000002E5A000-memory.dmp

memory/2864-10-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2784-11-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 aebf5c30243485e217f70b578bdbb718
SHA1 e3e175a2f93b23cae28393a56a45b80575e6fefd
SHA256 8a7b3c8ee6c095ebec8244a6393f11b847df79fb7b88100ea3a946007a8a307e
SHA512 da03ea11502beb6b32c64ab9a138038160f286700bdb4830f5342a0b73866f65bf6ee7649815821e5267b432e903883c5cd73a51e46ff4eaf5a5fe732571fcbb

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 aebf5c30243485e217f70b578bdbb718
SHA1 e3e175a2f93b23cae28393a56a45b80575e6fefd
SHA256 8a7b3c8ee6c095ebec8244a6393f11b847df79fb7b88100ea3a946007a8a307e
SHA512 da03ea11502beb6b32c64ab9a138038160f286700bdb4830f5342a0b73866f65bf6ee7649815821e5267b432e903883c5cd73a51e46ff4eaf5a5fe732571fcbb

memory/2784-13-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

memory/2784-14-0x00000000027B0000-0x0000000002BB0000-memory.dmp

memory/2784-15-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 21:59

Reported

2023-10-25 22:09

Platform

win10v2004-20231023-en

Max time kernel

1s

Max time network

7s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.e281e8637defc7b17c2946e460b81460.exe"

Network

Files

memory/1516-0-0x0000000000400000-0x000000000040A000-memory.dmp