ammyyadmin | af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaff17eadc614fef4f065d69d4a5950a.exe
Size

941KB
MD5

aaff17eadc614fef4f065d69d4a5950a
SHA1

cf8df38958d6ec0bca31b41d244170274f4ae17c
SHA256

af5450d6ec23249783f1119c8716059194be2e40f4574f697dab72eac0223092
SHA512

305f6562e71547faf3e9a4a30c685698757654808e54d9432c615cb60b5562c2db780bf46dcae574ad0f877712853d09263f0503d79e10534c2ce768e7db788f
SSDEEP

24576:4MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsx3:dJ5gEKNikf3hBfUiWx3

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aaff17eadc614fef4f065d69d4a5950a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	aaff17eadc614fef4f065d69d4a5950a.exe

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

2640 budha.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2640	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

aaff17eadc614fef4f065d69d4a5950a.exe

description	pid	process	target process
PID 3276 wrote to memory of 2640	3276	aaff17eadc614fef4f065d69d4a5950a.exe	budha.exe
PID 3276 wrote to memory of 2640	3276	aaff17eadc614fef4f065d69d4a5950a.exe	budha.exe
PID 3276 wrote to memory of 2640	3276	aaff17eadc614fef4f065d69d4a5950a.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\aaff17eadc614fef4f065d69d4a5950a.exe
"C:\Users\Admin\AppData\Local\Temp\aaff17eadc614fef4f065d69d4a5950a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
2⤵
- Executes dropped EXE
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
941KB

MD5
3f9ebea0044f54ad94d1b95dfa5e84b3

SHA1
53fc789ba33a4dd6a28731321c881181475f7efb

SHA256
1f7c063da4a40403848b18a6729b561be5e76dc222d8363b47121dc2b5b08aff

SHA512
fb9bfcea0583f9b8073290e8b66b4cf5dd41bf8681c1728ae773cfef84c607c4bfcaaccba619f440412535168b05f8144f9ec03c5166b65f2a58b71c7f9e06b3

Download Submit
memory/2640-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2640-13-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/2640-14-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/2640-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3276-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3276-1-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3276-3-0x00000000026C0000-0x0000000002AC0000-memory.dmp

Filesize
4.0MB

Download
memory/3276-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download