ammyyadmin | 2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927N.exe
Size

1013KB
MD5

957efd33138b0c13295ac759048a0400
SHA1

06a38b709a09fdb0e57d88eb13b6138c48a04548
SHA256

2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927
SHA512

9926895324a5ef0995e113e915cc407888bd1156f675551549acb177d8dd93defa98f46cda1cc350d192d2ba9a45119b71241fc954e1ef95557e884de27efdc9
SSDEEP

24576:+MjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxR:7J5gEKNikf3hBfUiWxR

Score

10^/10

ammyyadmin discovery rat upx

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b0c-7.dat	family_ammyyadmin

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927N.exe

Executes dropped EXE 1 IoCs

pid	Process
3528	budha.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1940-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x000c000000023b0c-7.dat	upx
behavioral2/memory/1940-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3528-22-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3528	1940	2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927N.exe	86
PID 1940 wrote to memory of 3528	1940	2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927N.exe	86
PID 1940 wrote to memory of 3528	1940	2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927N.exe	86

C:\Users\Admin\AppData\Local\Temp\2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927N.exe
"C:\Users\Admin\AppData\Local\Temp\2c0e3f10dabd5ac14e1bc29190e1630a7862792716da572c66dac09273ebc927N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
1013KB

MD5
4ce08095c7f4fe340d27610fea7a93e3

SHA1
0e8673c0dfc3bcc4512cb25bfa4a25b25f563911

SHA256
9766c506c8cf8631f197d99116772e9eb07560f53043c754209e16bad259343f

SHA512
bfafa53847e16dc34fef1ce1c4530c95fe731ec4b6530f8041c8669147624a048aba91aea2fc064750ec8b39fedc1201709faebd6b4308a8c2146a321a738c12

Download Submit
memory/1940-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1940-1-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1940-3-0x00000000026D0000-0x0000000002AD0000-memory.dmp

Filesize
4.0MB

Download
memory/1940-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3528-13-0x0000000002580000-0x0000000002980000-memory.dmp

Filesize
4.0MB

Download
memory/3528-12-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3528-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download