ammyyadmin | 9cc3a59e4966b7af97d6de0a7bb50596f7fff08cd21236a752d632697c714982

Analysis

max time kernel
142s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b55e18751720370b951e4d7112578350_NeikiAnalytics.exe
Size

954KB
MD5

b55e18751720370b951e4d7112578350
SHA1

5bd4a5233fcc8e5817b9dc22ae9c163d5b943acd
SHA256

9cc3a59e4966b7af97d6de0a7bb50596f7fff08cd21236a752d632697c714982
SHA512

26acf813a09b059740b4e8a8178bb7748f38592623e5c49cfab5e46f522411ffe35ca693159ca852b13473644d09c8332ef41d80249c3752bf4ee63dfe04cdd3
SSDEEP

24576:rMjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsx8:mJ5gEKNikf3hBfUiWx8

Score

10^/10

ammyyadmin rat upx

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\budha.exe	family_ammyyadmin

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b55e18751720370b951e4d7112578350_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	b55e18751720370b951e4d7112578350_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

budha.exe

pid process

2128 budha.exe

pid	process
2128	budha.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2992-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\budha.exe	upx
behavioral2/memory/2128-13-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2992-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2128-16-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b55e18751720370b951e4d7112578350_NeikiAnalytics.exe

description	pid	process	target process
PID 2992 wrote to memory of 2128	2992	b55e18751720370b951e4d7112578350_NeikiAnalytics.exe	budha.exe
PID 2992 wrote to memory of 2128	2992	b55e18751720370b951e4d7112578350_NeikiAnalytics.exe	budha.exe
PID 2992 wrote to memory of 2128	2992	b55e18751720370b951e4d7112578350_NeikiAnalytics.exe	budha.exe

C:\Users\Admin\AppData\Local\Temp\b55e18751720370b951e4d7112578350_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b55e18751720370b951e4d7112578350_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
2⤵
- Executes dropped EXE
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
954KB

MD5
fc3ad52ce32f490b69d581796ae7af0a

SHA1
29a1ff655f03a8a0204c9f3e12e65c07b6e1b384

SHA256
9eb7505617c85a2c34eb41dee832dbde184618b5fb08f8f1802f03d907c353b3

SHA512
b36c81955fdef2d8a0a107ed6699a9ec4260f940e418de738ce57c7af9ffa1f12cfaa4fa3b8045ec1532c75a2b045c70cb109697184712753fa76f49ac6db9e7

Download Submit
memory/2128-13-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2128-15-0x0000000002580000-0x0000000002980000-memory.dmp

Filesize
4.0MB

Download
memory/2128-14-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2128-16-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2992-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2992-1-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2992-3-0x0000000002750000-0x0000000002B50000-memory.dmp

Filesize
4.0MB

Download
memory/2992-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download