ammyyadmin | af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaff17eadc614fef4f065d69d4a5950a.exe
Size

941KB
MD5

aaff17eadc614fef4f065d69d4a5950a
SHA1

cf8df38958d6ec0bca31b41d244170274f4ae17c
SHA256

af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092
SHA512

305f6562e71547faf3e9a4a30c685698757654808e54d9432c615cb60b5562c2db780bf46dcae574ad0f877712853d09263f0503d79e10534c2ce768e7db788f
SSDEEP

24576:4MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsx3:dJ5gEKNikf3hBfUiWx3

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

2068 budha.exe
Loads dropped DLL 1 IoCs

Processes:

aaff17eadc614fef4f065d69d4a5950a.exe

pid process

1704 aaff17eadc614fef4f065d69d4a5950a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2068	budha.exe

pid	process
1704	aaff17eadc614fef4f065d69d4a5950a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

aaff17eadc614fef4f065d69d4a5950a.exe

description	pid	process	target process
PID 1704 wrote to memory of 2068	1704	aaff17eadc614fef4f065d69d4a5950a.exe	budha.exe
PID 1704 wrote to memory of 2068	1704	aaff17eadc614fef4f065d69d4a5950a.exe	budha.exe
PID 1704 wrote to memory of 2068	1704	aaff17eadc614fef4f065d69d4a5950a.exe	budha.exe
PID 1704 wrote to memory of 2068	1704	aaff17eadc614fef4f065d69d4a5950a.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\aaff17eadc614fef4f065d69d4a5950a.exe
"C:\Users\Admin\AppData\Local\Temp\aaff17eadc614fef4f065d69d4a5950a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
2⤵
- Executes dropped EXE
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
941KB

MD5
3f9ebea0044f54ad94d1b95dfa5e84b3

SHA1
53fc789ba33a4dd6a28731321c881181475f7efb

SHA256
1f7c063da4a40403848b18a6729b561be5e76dc222d8363b47121dc2b5b08aff

SHA512
fb9bfcea0583f9b8073290e8b66b4cf5dd41bf8681c1728ae773cfef84c607c4bfcaaccba619f440412535168b05f8144f9ec03c5166b65f2a58b71c7f9e06b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
128KB

MD5
1b585c2ab8992c34cfdec2e49a730bad

SHA1
1c2163c926d2ab42a08f842d2d922d70fb430723

SHA256
f7cd473e13a394d8b55f83f3a2f87d55b9e53244f7aab75083ef7660da7c3cf8

SHA512
df8809e97505324f133fb5f825b6c26cf2c5543e56fc12b8bbe61ec393853de92c16d5929d9490a9e95d18f5b27a59744e029453a4e6c760bd2c5ca25b004743

Download Submit
\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
576KB

MD5
2d296c9bb27c2ca3af3ef324c57c886b

SHA1
5778e3dbe4769f843e1c6271bf2eaac49d32c8d3

SHA256
f5b714ba4017c440f9999e1f2bb540ecfc890672cac632337a89920366fd9a17

SHA512
b36e955de1fd292549a147d51c67a67e74f337f26b6c6ddd774d20722e1eefd05dddea9c9533d159d705715f07dcd449f6d61209536110ad5d7356068d5457c7

Download Submit
memory/1704-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1704-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1704-3-0x00000000027E0000-0x0000000002BE0000-memory.dmp

Filesize
4.0MB

Download
memory/1704-8-0x0000000002D40000-0x0000000002D4A000-memory.dmp

Filesize
40KB

Download
memory/1704-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2068-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2068-13-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2068-14-0x00000000027C0000-0x0000000002BC0000-memory.dmp

Filesize
4.0MB

Download
memory/2068-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download