ammyyadmin | f562ae4ac6fb307a2e3d0e8ab5af0ac38c3ed238e792550df6d09e0071b8ec55

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d260bab3f77e21df19a76ff9d9795d50_NeikiAnalytics.exe
Size

956KB
MD5

d260bab3f77e21df19a76ff9d9795d50
SHA1

f22e0cbc2d344fbd19b12d02320881e53d9e251f
SHA256

f562ae4ac6fb307a2e3d0e8ab5af0ac38c3ed238e792550df6d09e0071b8ec55
SHA512

287b533ceae2a2c4a3f3a4a1e537dce9c0137789faa057f822d43b05304704f2d798c9b6df05cb3308c815228a86670273354c9d5c07941c3902946fd66972ff
SSDEEP

24576:4MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxE:dJ5gEKNikf3hBfUiWxE

Score

10^/10

ammyyadmin rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001416a-5.dat	family_ammyyadmin

Executes dropped EXE 1 IoCs

pid	Process
2856	budha.exe

Loads dropped DLL 1 IoCs

pid	Process
1268	d260bab3f77e21df19a76ff9d9795d50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2856	1268	d260bab3f77e21df19a76ff9d9795d50_NeikiAnalytics.exe	28
PID 1268 wrote to memory of 2856	1268	d260bab3f77e21df19a76ff9d9795d50_NeikiAnalytics.exe	28
PID 1268 wrote to memory of 2856	1268	d260bab3f77e21df19a76ff9d9795d50_NeikiAnalytics.exe	28
PID 1268 wrote to memory of 2856	1268	d260bab3f77e21df19a76ff9d9795d50_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\d260bab3f77e21df19a76ff9d9795d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d260bab3f77e21df19a76ff9d9795d50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
957KB

MD5
52f7c7d187eaa445ba5f50ec1e2568fa

SHA1
f1e11e6d056eb8e56fc47eddee751e5176211dd6

SHA256
31e41036ee1bc8018fe9554a583f0758c3d776750d191e9596a581f67f9d11ce

SHA512
008090086f1239fdaeb2406030bfcb629293bacda76efef2e9b0611cb2db387f0e984f6deb88b5dcd6bb473ed3ec31b30881a798f9867ec17dfa5329c854e52c

Download Submit
memory/1268-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1268-1-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/1268-3-0x0000000002AF0000-0x0000000002EF0000-memory.dmp

Filesize
4.0MB

Download
memory/1268-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2856-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2856-14-0x0000000002B30000-0x0000000002F30000-memory.dmp

Filesize
4.0MB

Download
memory/2856-13-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2856-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download