Malware Analysis Report

2024-10-16 05:10

Sample ID 240901-31kg6awfjh
Target ee7dd8bbd4defb282eae880577fc6200N.exe
SHA256 21bee7d02188387833f3ad000ee9a7117a1f0bd6f305f826fe1146a6724d06dd
Tags
ammyyadmin discovery rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

21bee7d02188387833f3ad000ee9a7117a1f0bd6f305f826fe1146a6724d06dd

Threat Level: Known bad

The file ee7dd8bbd4defb282eae880577fc6200N.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin discovery rat upx

Ammyyadmin family

Ammyy Admin

AmmyyAdmin payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 23:58

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 23:58

Reported

2024-09-02 00:00

Platform

win7-20240705-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe

"C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
US 8.8.8.8:53 cry-havok.org udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp

Files

memory/2548-0-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2548-1-0x0000000001F20000-0x0000000001F21000-memory.dmp

memory/2548-3-0x00000000033E0000-0x00000000037E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\budha.exe

MD5 1a982376d6d2b46cc4a6c28f39784b61
SHA1 ecbe2948b051d54365d30b7d2d0b94c4538b3323
SHA256 0ac3b06df9eca2702237562ba6605ddf76368a7401cadca42e48e297475ce010
SHA512 b2303b7c70c46d8b094b7b0991a1380066152c429d513fdaa02ed9551ed1caafdd1929083705caf305bce46941bc588a781890c0c4c776f14b35b992b6cb4116

memory/2548-7-0x0000000001C30000-0x0000000001C3F000-memory.dmp

memory/2548-11-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2408-12-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2408-13-0x0000000001F70000-0x0000000001F71000-memory.dmp

memory/2408-15-0x0000000003430000-0x0000000003830000-memory.dmp

memory/2408-16-0x0000000000400000-0x000000000040F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD931.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD963.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 23:58

Reported

2024-09-02 00:00

Platform

win10v2004-20240802-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe"

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\budha.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe

"C:\Users\Admin\AppData\Local\Temp\ee7dd8bbd4defb282eae880577fc6200N.exe"

C:\Users\Admin\AppData\Local\Temp\budha.exe

"C:\Users\Admin\AppData\Local\Temp\budha.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 maitikio.com udp
US 8.8.8.8:53 cry-havok.org udp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 maitikio.com udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 maitikio.com udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 maitikio.com udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 maitikio.com udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 maitikio.com udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 maitikio.com udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 maitikio.com udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 maitikio.com udp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 15.197.148.33:443 cry-havok.org tcp
US 8.8.8.8:53 udp
US 15.197.148.33:443 tcp

Files

memory/4600-0-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4600-1-0x0000000000550000-0x0000000000551000-memory.dmp

memory/4600-3-0x00000000026D0000-0x0000000002AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\budha.exe

MD5 1a982376d6d2b46cc4a6c28f39784b61
SHA1 ecbe2948b051d54365d30b7d2d0b94c4538b3323
SHA256 0ac3b06df9eca2702237562ba6605ddf76368a7401cadca42e48e297475ce010
SHA512 b2303b7c70c46d8b094b7b0991a1380066152c429d513fdaa02ed9551ed1caafdd1929083705caf305bce46941bc588a781890c0c4c776f14b35b992b6cb4116

memory/4600-11-0x0000000000400000-0x000000000040F000-memory.dmp

memory/5084-13-0x00000000025C0000-0x00000000029C0000-memory.dmp

memory/5084-12-0x0000000000790000-0x0000000000791000-memory.dmp

memory/5084-20-0x0000000000400000-0x000000000040F000-memory.dmp