ammyyadmin | a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4.exe
Size

986KB
MD5

67c2325980703c050f18b9e4f02803fd
SHA1

a3053169ff43b192f05baad46499eed0e420c73c
SHA256

a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4
SHA512

d80ecf5a36234e3f53b6f4ad7782c2a1b5baa1deab923e1787c454222aeae181d1e79bc89aa4fbad247bda569167e5d25487ea202019f41ea36e03397b9f667d
SSDEEP

24576:eMjPJ5g9KVGrdNikfu2hBfK8ilRty5olGJsxS:bJ5gEKNikf3hBfUiWxS

Score

10^/10

ammyyadmin discovery rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b5a-7.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4.exe

Executes dropped EXE 1 IoCs

pid	Process
1748	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 1748	3536	a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4.exe	87
PID 3536 wrote to memory of 1748	3536	a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4.exe	87
PID 3536 wrote to memory of 1748	3536	a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4.exe	87

C:\Users\Admin\AppData\Local\Temp\a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4.exe
"C:\Users\Admin\AppData\Local\Temp\a1452639a095592c1622cfea09b9f48a4ebd45fd4af19924266b640d260299c4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
986KB

MD5
169ca772e2cc873c240e79701f3fbc30

SHA1
cce4a210a07acd6ce38ec11fa8e06c9311d55e0b

SHA256
d2360d7c127c65109ebc27e5d05b871347ab1de18cdda1a527eaee0e43151565

SHA512
f49d0f3044f7e67461806f7cf0c85746ac69dceae7bd600ca8a462669450cd449dd00c3371b3babaf832b9e551a205b2f545887ac0e6483ee19813a96e181fe3

Download Submit
memory/1748-12-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/1748-13-0x0000000002570000-0x0000000002970000-memory.dmp

Filesize
4.0MB

Download
memory/3536-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3536-1-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3536-3-0x00000000026B0000-0x0000000002AB0000-memory.dmp

Filesize
4.0MB

Download
memory/3536-11-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download