Analysis Overview
SHA256
21bee7d02188387833f3ad000ee9a7117a1f0bd6f305f826fe1146a6724d06dd
Threat Level: Known bad
The file ee7dd8bbd4defb282eae880577fc6200N.exe was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
Ammyy Admin
AmmyyAdmin payload
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 23:58
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 23:58
Reported
2024-09-02 00:00
Platform
win7-20240705-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2548 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2548 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 2548 wrote to memory of 2408 | N/A | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe
"C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
Files
memory/2548-0-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2548-1-0x0000000001F20000-0x0000000001F21000-memory.dmp
memory/2548-3-0x00000000033E0000-0x00000000037E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 1a982376d6d2b46cc4a6c28f39784b61 |
| SHA1 | ecbe2948b051d54365d30b7d2d0b94c4538b3323 |
| SHA256 | 0ac3b06df9eca2702237562ba6605ddf76368a7401cadca42e48e297475ce010 |
| SHA512 | b2303b7c70c46d8b094b7b0991a1380066152c429d513fdaa02ed9551ed1caafdd1929083705caf305bce46941bc588a781890c0c4c776f14b35b992b6cb4116 |
memory/2548-7-0x0000000001C30000-0x0000000001C3F000-memory.dmp
memory/2548-11-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2408-12-0x0000000000400000-0x000000000040F000-memory.dmp
memory/2408-13-0x0000000001F70000-0x0000000001F71000-memory.dmp
memory/2408-15-0x0000000003430000-0x0000000003830000-memory.dmp
memory/2408-16-0x0000000000400000-0x000000000040F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabD931.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD963.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 23:58
Reported
2024-09-02 00:00
Platform
win10v2004-20240802-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\budha.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4600 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 4600 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
| PID 4600 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe | C:\Users\Admin\AppData\Local\Temp\budha.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe
"C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe"
C:\Users\Admin\AppData\Local\Temp\budha.exe
"C:\Users\Admin\AppData\Local\Temp\budha.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 8.8.8.8:53 | cry-havok.org | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.148.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | maitikio.com | udp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 15.197.148.33:443 | cry-havok.org | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 15.197.148.33:443 | tcp |
Files
memory/4600-0-0x0000000000400000-0x000000000040F000-memory.dmp
memory/4600-1-0x0000000000550000-0x0000000000551000-memory.dmp
memory/4600-3-0x00000000026D0000-0x0000000002AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\budha.exe
| MD5 | 1a982376d6d2b46cc4a6c28f39784b61 |
| SHA1 | ecbe2948b051d54365d30b7d2d0b94c4538b3323 |
| SHA256 | 0ac3b06df9eca2702237562ba6605ddf76368a7401cadca42e48e297475ce010 |
| SHA512 | b2303b7c70c46d8b094b7b0991a1380066152c429d513fdaa02ed9551ed1caafdd1929083705caf305bce46941bc588a781890c0c4c776f14b35b992b6cb4116 |
memory/4600-11-0x0000000000400000-0x000000000040F000-memory.dmp
memory/5084-13-0x00000000025C0000-0x00000000029C0000-memory.dmp
memory/5084-12-0x0000000000790000-0x0000000000791000-memory.dmp
memory/5084-20-0x0000000000400000-0x000000000040F000-memory.dmp