Analysis
-
max time kernel
70s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 21:16
Static task
static1
Behavioral task
behavioral1
Sample
61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
Resource
win10v2004-20220414-en
General
-
Target
61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
-
Size
505KB
-
MD5
e07b9e9eabe0c861ceead05b4d3c393c
-
SHA1
4552983c9df2cbb4aa31d878da3b1ab3ee428aca
-
SHA256
61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4
-
SHA512
07109101aea1b3217776e08210c7333a7b4d283cf2d434060dae593a8b82e9457a33a7ee87e817ac7ed8298eb716abbf0a01f8ad53f5a6eac2faf6bcac4d02be
Malware Config
Signatures
-
Ardamax Main Executable 2 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\28463\AWJH.exe family_ardamax C:\Windows\SysWOW64\28463\AWJH.exe family_ardamax -
Executes dropped EXE 1 IoCs
Processes:
AWJH.exepid process 1912 AWJH.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe -
Loads dropped DLL 4 IoCs
Processes:
61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exeAWJH.exepid process 4840 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe 1912 AWJH.exe 1912 AWJH.exe 1912 AWJH.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
AWJH.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run AWJH.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AWJH Agent = "C:\\Windows\\SysWOW64\\28463\\AWJH.exe" AWJH.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exeAWJH.exedescription ioc process File created C:\Windows\SysWOW64\28463\AWJH.007 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe File created C:\Windows\SysWOW64\28463\AWJH.exe 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe File created C:\Windows\SysWOW64\28463\AKV.exe 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe File opened for modification C:\Windows\SysWOW64\28463 AWJH.exe File created C:\Windows\SysWOW64\28463\AWJH.001 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe File created C:\Windows\SysWOW64\28463\AWJH.006 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AWJH.exedescription pid process Token: 33 1912 AWJH.exe Token: SeIncBasePriorityPrivilege 1912 AWJH.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AWJH.exepid process 1912 AWJH.exe 1912 AWJH.exe 1912 AWJH.exe 1912 AWJH.exe 1912 AWJH.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exedescription pid process target process PID 4840 wrote to memory of 1912 4840 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe AWJH.exe PID 4840 wrote to memory of 1912 4840 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe AWJH.exe PID 4840 wrote to memory of 1912 4840 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe AWJH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe"C:\Users\Admin\AppData\Local\Temp\61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\28463\AWJH.exe"C:\Windows\system32\28463\AWJH.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\@744A.tmpFilesize
4KB
MD5cbfaf9948594946d4921a261fe5c3e40
SHA1e4943ed1144bb62c1048852275a843af1b4970a6
SHA256e257d3a598449605f269ace371b27c675466f6410efe12f4bab2ca38d24a0f4e
SHA5129ee932f3de9e02245cef9d6df4d094a1bd9d4691d8ffe0d26b8983b427fa9a71fc14c3e56f5e1894c57a5734d1c42593ce5137f19c3d607afc2a3fcf7db5672d
-
C:\Windows\SysWOW64\28463\AKV.exeFilesize
416KB
MD5e0d6dcf917123c3b01804904afe14654
SHA1559eec79c61aa1a9cbbb95ca509bad9f9fad226a
SHA256afd6d7abbe378994509913652c26b97711818dcde1bc620ca37210abed502653
SHA512c36907bf0ea2df54785fe94123996ce2c0ddaf1d27d624a25337850ca7f71d61831728e5dd25168c103e893d0f8a481700808f27b5cd3461c6431b6928820e90
-
C:\Windows\SysWOW64\28463\AWJH.001Filesize
504B
MD5013438f3f5e6d442068aa7351f966b34
SHA156e3b3cdb54c728c2f26cf1e6e138f3d5947a9bc
SHA25693806b9e64ba253039e1d6021c5a98188ab2ccb060dd0b336e1c08491fc2840b
SHA5127b4e60cf0b1dbdf9fed5928c5d9d44551f96f4a4401e6fd0595048ed5bd4556b22dc0cc3913d989bcbfc08c9ee0905c83b93cf8f66634a43e6109ac55d9e5d58
-
C:\Windows\SysWOW64\28463\AWJH.006Filesize
8KB
MD5315504430c5af82495fb4d568e3b4d68
SHA1828f9aafc692ad9e14bb6c21e2375074a2d2f70a
SHA256ae2ffedba57333a174c82ea96eb3138b87cda18c9a4d725576a49d1f0257a3a8
SHA5123c4f5db37c5c69a323e5ca79d66dd064be51e66239fbd33d09d918ba509d1aa3d81ac2af8db06f36ea4ece8ce8e4b34da25e9abeff03256078e15e35f1136c94
-
C:\Windows\SysWOW64\28463\AWJH.006Filesize
8KB
MD5315504430c5af82495fb4d568e3b4d68
SHA1828f9aafc692ad9e14bb6c21e2375074a2d2f70a
SHA256ae2ffedba57333a174c82ea96eb3138b87cda18c9a4d725576a49d1f0257a3a8
SHA5123c4f5db37c5c69a323e5ca79d66dd064be51e66239fbd33d09d918ba509d1aa3d81ac2af8db06f36ea4ece8ce8e4b34da25e9abeff03256078e15e35f1136c94
-
C:\Windows\SysWOW64\28463\AWJH.007Filesize
5KB
MD5b6d72867826e2f2b65a429f47c7c9064
SHA12408cf4a32bfb17d0512e09d0371922069fc2eb2
SHA2567680db19d355a0df6b28a75f01acda61084af247ebc73b4816668ff22c0c3017
SHA5126bdfe3c06d1ea86f3f1167e5e71e78f951386ac54b9067da88811bc36e3cfe28b55647c81b7e80e770fae5a32fc48e384c4f112f8c6ae99211345830345b7234
-
C:\Windows\SysWOW64\28463\AWJH.007Filesize
5KB
MD5b6d72867826e2f2b65a429f47c7c9064
SHA12408cf4a32bfb17d0512e09d0371922069fc2eb2
SHA2567680db19d355a0df6b28a75f01acda61084af247ebc73b4816668ff22c0c3017
SHA5126bdfe3c06d1ea86f3f1167e5e71e78f951386ac54b9067da88811bc36e3cfe28b55647c81b7e80e770fae5a32fc48e384c4f112f8c6ae99211345830345b7234
-
C:\Windows\SysWOW64\28463\AWJH.007Filesize
5KB
MD5b6d72867826e2f2b65a429f47c7c9064
SHA12408cf4a32bfb17d0512e09d0371922069fc2eb2
SHA2567680db19d355a0df6b28a75f01acda61084af247ebc73b4816668ff22c0c3017
SHA5126bdfe3c06d1ea86f3f1167e5e71e78f951386ac54b9067da88811bc36e3cfe28b55647c81b7e80e770fae5a32fc48e384c4f112f8c6ae99211345830345b7234
-
C:\Windows\SysWOW64\28463\AWJH.exeFilesize
540KB
MD5dcf2ea033e19787b8d51f68906db222c
SHA1cba5862bc65604ad41084ad1acee16748145bb44
SHA256c551d2d7f4b20f04b48821c086fa75842f364e4910f5022e7179451913fadce3
SHA512ab1e95de35d0ee841f8e204ec9b480cd9cabaa811139bbf770086f81add257c67d12e0c0ae12a47efd1c3ca6dc93ea26a1b17ad64283d84cb08901d44942c2be
-
C:\Windows\SysWOW64\28463\AWJH.exeFilesize
540KB
MD5dcf2ea033e19787b8d51f68906db222c
SHA1cba5862bc65604ad41084ad1acee16748145bb44
SHA256c551d2d7f4b20f04b48821c086fa75842f364e4910f5022e7179451913fadce3
SHA512ab1e95de35d0ee841f8e204ec9b480cd9cabaa811139bbf770086f81add257c67d12e0c0ae12a47efd1c3ca6dc93ea26a1b17ad64283d84cb08901d44942c2be
-
memory/1912-131-0x0000000000000000-mapping.dmp