Managed XDR

ami.exe — malware analysis report

File info

Filename
ami.exe
File type
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
File size
241.4 KB
First seen
Last seen

Environment

w10/x64 en

Hashes

SHA1
1f8673fd148f91c2e924842f47b3c4e810b48c95
SHA256
da14b13ce9d069dad8fbccd6ddf290d1ad512b8701ec2df2a9302eaea8419405
MD5
38772996f98f1ab1817a0abf2479762e

Signatures

Execution

T1059 nsis_suspicious_filenames: Nsis contains files with suspicious names

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1562 dep_disable: Disables DEP
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1027.002 nsis_suspicious_filenames: Nsis contains files with suspicious names
T1027.002 nsis_archive: One of the packages is NSIS archive

Discovery

T1057 process_interest: Enumerates processes

Other

creates_many_processes: Spawns a lot of processes (over 70)
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
creates_exe: Creates executable files in the file system
test_check_service: Starts services
checktokenmembership: Checks user token with CheckTokenMembership call
pe_overlay: PE file contains overlay
executes_dropped_exe: Executes dropped exe files