ardamax | 332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed

Analysis

max time kernel
125s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2022, 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
Size

1.2MB
MD5

204926666ec65390e328d3a7b95bad10
SHA1

20e4e90bd387ea5b98d219273d4afdeaadbd1c32
SHA256

332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed
SHA512

6e8bb61cc542ea3ca15075cc3aabfbc159ac11858b25c6ac7d1c3867535a9aa7c1e598c1de413db8b7849197c3084be62d4e80be2b2c8182d1b03ab5197b6e43
SSDEEP

24576:DTdKA6iyj5X/guvXHRtb4jp8MtHirbgW8CpbUjMZTCRthbpzN964M4:DTQHiWNzReN8MtH5CpbrTethbt645

Score

10^/10

ardamax neshta discovery keylogger persistence spyware stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022e02-138.dat	family_ardamax
behavioral2/files/0x0001000000022e02-140.dat	family_ardamax

Detect Neshta payload 25 IoCs

resource	yara_rule
behavioral2/files/0x0004000000022dc4-136.dat	family_neshta
behavioral2/files/0x0004000000022dc4-137.dat	family_neshta
behavioral2/files/0x0004000000009f75-146.dat	family_neshta
behavioral2/files/0x000500000001f3c7-147.dat	family_neshta
behavioral2/files/0x000700000001f068-148.dat	family_neshta
behavioral2/files/0x000500000001f2c3-149.dat	family_neshta
behavioral2/files/0x000100000002135a-150.dat	family_neshta
behavioral2/files/0x00010000000167a8-151.dat	family_neshta
behavioral2/files/0x000100000001ddb9-152.dat	family_neshta
behavioral2/files/0x000100000001dd7a-153.dat	family_neshta
behavioral2/files/0x000100000001dd7a-154.dat	family_neshta
behavioral2/files/0x0001000000022b4e-157.dat	family_neshta
behavioral2/files/0x0001000000022b4a-156.dat	family_neshta
behavioral2/files/0x0001000000016911-155.dat	family_neshta
behavioral2/files/0x001000000001e5aa-158.dat	family_neshta
behavioral2/files/0x000300000001e71c-159.dat	family_neshta
behavioral2/files/0x0002000000000719-160.dat	family_neshta
behavioral2/files/0x000300000001e9a7-166.dat	family_neshta
behavioral2/files/0x001000000001e5aa-167.dat	family_neshta
behavioral2/files/0x000900000001e910-164.dat	family_neshta
behavioral2/files/0x000300000001e901-163.dat	family_neshta
behavioral2/files/0x000300000001e956-162.dat	family_neshta
behavioral2/files/0x001b00000001e0f4-165.dat	family_neshta
behavioral2/files/0x0002000000021409-161.dat	family_neshta
behavioral2/files/0x0004000000022dc4-169.dat	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 4 IoCs

pid	Process
4712	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
4704	svchost.com
3980	DDF.exe
2732	svchost.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DDF.exe

Loads dropped DLL 1 IoCs

pid	Process
3980	DDF.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	DDF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDF Start = "C:\\Windows\\SysWOW64\\CMRNDR\\DDF.exe"	DDF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CMRNDR\DDF.001	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File created	C:\Windows\SysWOW64\CMRNDR\DDF.002	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File created	C:\Windows\SysWOW64\CMRNDR\AKV.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File created	C:\Windows\SysWOW64\CMRNDR\DDF.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\Windows\SysWOW64\CMRNDR\	DDF.exe
File created	C:\Windows\SysWOW64\CMRNDR\DDF.004	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	svchost.com
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	DDF.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3980	DDF.exe
Token: SeIncBasePriorityPrivilege	3980	DDF.exe
Token: SeIncBasePriorityPrivilege	3980	DDF.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3980	DDF.exe
3980	DDF.exe
3980	DDF.exe
3980	DDF.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 4712	2548	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe	85
PID 2548 wrote to memory of 4712	2548	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe	85
PID 2548 wrote to memory of 4712	2548	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe	85
PID 4712 wrote to memory of 4704	4712	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe	86
PID 4712 wrote to memory of 4704	4712	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe	86
PID 4712 wrote to memory of 4704	4712	332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe	86
PID 4704 wrote to memory of 3980	4704	svchost.com	87
PID 4704 wrote to memory of 3980	4704	svchost.com	87
PID 4704 wrote to memory of 3980	4704	svchost.com	87
PID 3980 wrote to memory of 2732	3980	DDF.exe	96
PID 3980 wrote to memory of 2732	3980	DDF.exe	96
PID 3980 wrote to memory of 2732	3980	DDF.exe	96
PID 2732 wrote to memory of 3592	2732	svchost.com	98
PID 2732 wrote to memory of 3592	2732	svchost.com	98
PID 2732 wrote to memory of 3592	2732	svchost.com	98

C:\Users\Admin\AppData\Local\Temp\332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
"C:\Users\Admin\AppData\Local\Temp\332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\3582-490\332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\system32\CMRNDR\DDF.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\SysWOW64\CMRNDR\DDF.exe
      C:\Windows\system32\CMRNDR\DDF.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\CMRNDR\DDF.exe > nul
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\CMRNDR\DDF.exe > nul
        6⤵
        
        PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE

Filesize
368KB

MD5
a344438de9e499ca3d9038688440f406

SHA1
c961917349de7e9d269f6f4a5593b6b9d3fcd4d2

SHA256
715f6420c423ae4068b25a703d5575f7c147b26e388f0fff1ae20c6abe821557

SHA512
8bf3c621725fddafa6326b057fee9beee95966e43c5fbab40ebaa4a1a64d17acca97a19d0ece10c3574e13e194ff191316871d1d46d4d74ffc0ac3efb403bca9

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

Filesize
127KB

MD5
02c064bea2cf9da44904c9a1ecb61c48

SHA1
75b874030dc2300f6663ba70e3bb5b4475e4b89c

SHA256
3ed504ee3804fdd067bf02599ae9d41ef0f795f9f6f5ae1038e25578d0230f0a

SHA512
fb8aa2bba96efa28fd56ccf5bb0d2505c13d4b98740ad3f5c1b8b0ea131ebd4f9e9822d259e9c96ec595c5843f908f12b51880a8d4c366721591e89c830a5ce8

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE

Filesize
318KB

MD5
f7ae513c4b49b132eaaca8c6439f6fd9

SHA1
5d895f3ea091a13bfd4621383c354a195b5d9582

SHA256
28383114ddb138b10a7658bd4b0709fd6e496335cef5d5da827f2687077e5add

SHA512
6c2fff3aeb43cb30a0248e361eed013a4f44e02a6bf2e17f34159e7ad00fa265b9f30038697a82ede6261a23a478b9e6c4f6c84e54576eb188c4756667ff2598

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe

Filesize
664KB

MD5
522c12509a9fde92565e673f2f47a0b9

SHA1
3cb06efb8b369eb72c55a83f2e89732a924a96f8

SHA256
5cbea72c5565c342e07edfc8902eeea7cfb450362f2ce0cb7b1b184dbf72ef64

SHA512
b112b9d568cf9c14cd289b1dc9dc173d800b0b70c63221cbcc326f6727d56027dcc7355599a0bc9a4c6d9abb39281456cc5a138f625147efef9819ebee9fea35

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE

Filesize
328KB

MD5
326e71e4d53af74356aa91a7eeb0a828

SHA1
04f7d565d9c98715aec62d485453415330f20db5

SHA256
177018bcdd23f7566b1927581e9510b68418d58f84cc06e56e67395ed989447f

SHA512
39bab63a0e2caad9778bec8bf6ea6134c8e588f7ba2f4a9ec99280cf817dd39a8a7ef492418e285b7615ff7b383394d20a5d804c64268add53f85007bde4f8f7

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE

Filesize
1.6MB

MD5
cbe210556a176a21cd6f7ce351462632

SHA1
0bdbf8fdab28d0fa72f58b4a46d9756ca266fa7a

SHA256
42e0248413b112dab3658c1e1d4caf85cb4956c72e05d7351b9a864bf4ace0a3

SHA512
63713c89da5509b75a42957bdd467971190de1f53f666c0be127751f451e59798e65cd6dcb3fb9805b9e55b51a8f3ac0ef43dd5f0f32582d1d2393359e77cdc0

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Install\{18F12~1\MicrosoftEdgeUpdateSetup_X86_1.3.167.21.exe

Filesize
1.6MB

MD5
cbe210556a176a21cd6f7ce351462632

SHA1
0bdbf8fdab28d0fa72f58b4a46d9756ca266fa7a

SHA256
42e0248413b112dab3658c1e1d4caf85cb4956c72e05d7351b9a864bf4ace0a3

SHA512
63713c89da5509b75a42957bdd467971190de1f53f666c0be127751f451e59798e65cd6dcb3fb9805b9e55b51a8f3ac0ef43dd5f0f32582d1d2393359e77cdc0

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe

Filesize
290KB

MD5
df815caf3c78a6c7e1518cc6882b01bf

SHA1
6c3cad126a72a4710bfc859c9efe2c8eebbb56f6

SHA256
5625af665b7bbafeb056558d4efd469f9a46a2e8c9709ce78bc8706cf551db91

SHA512
e35348fea48f8d4c7954ad4a5e4e22ab0846979334de4b81759ef1aa92b6ae20751b6a3d079a0d33361df16d3bd8fe4bc7503825a0d8f597abbb4ad8ba8274c7

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE

Filesize
138KB

MD5
5e08d87c074f0f8e3a8e8c76c5bf92ee

SHA1
f52a554a5029fb4749842b2213d4196c95d48561

SHA256
5d548c2cc25d542f2061ed9c8e38bd5ca72bddb37dd17654346cae8a19645714

SHA512
dd98d6fa7d943604914b2e3b27e1f21a95f1fe1feb942dd6956e864da658f4fbd9d1d0cf775e79ceaae6a025aafd4e633763389c37034134bd5245969bec383e

Download Submit
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE

Filesize
279KB

MD5
f2056a3543ba9b6b6dde4346614b7f82

SHA1
139129616c3a9025a5cb16f9ad69018246bd9e2d

SHA256
2bab7d64d5327ca21ffd13df88b30431d0b8c0dd6cad8f4bb4db33eeb2b37d1e

SHA512
e11d1c65e046a0a6817cec4d17df1b7f5849fdb5b95527fdef78f0c433294fd2186037116a581ec3a66b07f1ab75cd8e60e408005cd64bc5eacc61a582da0942

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE

Filesize
129KB

MD5
e7d2d4bedb99f13e7be8338171e56dbf

SHA1
8dafd75ae2c13d99e5ef8c0e9362a445536c31b5

SHA256
c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24

SHA512
2017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc

Download Submit
C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe

Filesize
534KB

MD5
3bf259392097b2c212b621a52da03706

SHA1
c740b063803008e3d4bab51b8e2719c1f4027bf9

SHA256
79538fa3a6cf33b989d43e7311de4d7b0e1a99b60964e3acc00fa3cb49ff8160

SHA512
186a81ec6cfa4c6dbcb2dc51cbd647bf44328077b58575fafab920303ccf259322cd31fccc0bb23418293f1b88d7f21ab3f0d8e3f9af7db4b5d3f7c8978c7934

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE

Filesize
6.7MB

MD5
32853955255a94fcd7587ca9cbfe2b60

SHA1
c33a88184c09e89598f0cabf68ce91c8d5791521

SHA256
64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

SHA512
8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

Filesize
526KB

MD5
413ec51a9880e79324c712c0548674c1

SHA1
032d114c78c8df6d98186eeffd9cba24589e93bb

SHA256
80eee8d364db4b281b1643a1a52a5dd1c334b4f20c2519c5e0ba7aa9a49c2bd7

SHA512
4a1f74751793c32729ebe1e01b8b79ffe1a812e6972a21c17a688f52ea828c9d179151026597cae202b3cc46ecd0909d78b47cba5b3e2dc954832cd378657555

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

Filesize
714KB

MD5
015caa1588f703bd73bc7cfe9386ffe4

SHA1
747bec0876a67c0242ff657d47d7c383254ea857

SHA256
e5c6463292e3013ef2eb211dad0dfa716671241affbd8bed5802a94f03950141

SHA512
1fb3b2fa422d635c71a8e7865714516b7de1c32e6286f8b975be71b17a9186fcac78852e9467b4751b4eab69cb6af30140772858a758596596d09d767d170aab

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE

Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

Filesize
536KB

MD5
7a36ae2055dc8aa5791f86a0583197b4

SHA1
deade87912580a5386096768f569781a92dbb9d4

SHA256
64d1449187d26e3b769300335ed0fc5d31e2a2ee2264774ea9da2c396a6d8328

SHA512
e042b3338617366afa3bbcd0f589f632a63567149b78172acb16524b6c488c10649578416f992146b70506fc55f3a9a79624bb87aac21fa80658afc5b5693680

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE

Filesize
525KB

MD5
0d9146d70ac6a41ead1ea2d50d729508

SHA1
b9e6ff83a26aaf105640f5d5cdab213c989dc370

SHA256
0b876ddeefd88d5e98de7e409c5b6546ba8ffa195c168f9a4b6ba33b44d437ab

SHA512
c9394decfd469bfedd883095d604e11208aa290334ff5c0dce852f2ca74fba27c37ba2984dab8b27430e573681e22c9f903e53b01510a4b77d337cbd92c56cb3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe

Filesize
1.7MB

MD5
e25ffbddf046809226ea738583fd29f9

SHA1
ebda60d1f49cd1c2559d6c0f0a760dac7f38ce98

SHA256
91630469f3d18ebf1be43522b6dcb6547c3b67ab7a17a246e1b2122628dfcd80

SHA512
4417cba81c77c2a60e448b69dc615574ed4862fd97af014ebdf3ffbdde8a6c9bc32aca4881f59037f908a67b674d9e49b817fc1e6865e8f08e374f36baade101

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe

Filesize
1.1MB

MD5
8bcc82af5a3126d40fbf38458f208b17

SHA1
e11e3fd661bc4a2df95457e9d24e617cb4cf92aa

SHA256
5aea4501dc9f60ebac87bb28de244ba3dc519db7e6691788cc4bc38869baa22f

SHA512
8d65e9eb4a576f8d1b0c11d740a913fd8c9887bda38609554eb54777510884f1f99427bbdde1208090f0461c73e9d35996e211f15db40fd7da7e06e7c2758be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\332a6ecf06e3a78b471a8ccff92305ee6c73a7df2b91ee4d8bedc5821b8aa7ed.exe

Filesize
1.1MB

MD5
8bcc82af5a3126d40fbf38458f208b17

SHA1
e11e3fd661bc4a2df95457e9d24e617cb4cf92aa

SHA256
5aea4501dc9f60ebac87bb28de244ba3dc519db7e6691788cc4bc38869baa22f

SHA512
8d65e9eb4a576f8d1b0c11d740a913fd8c9887bda38609554eb54777510884f1f99427bbdde1208090f0461c73e9d35996e211f15db40fd7da7e06e7c2758be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
d4966f20292a48cd6caea3b3aecdd59e

SHA1
261d3f068a3d0105a7b7131dfa9f4c76c44bdc9f

SHA256
2a55d891bc0a58805086eb3427f9c1c4bc79947154034528926900dc20f5d0bb

SHA512
6d4fc61f3cbd918163f4dec15d9dad77616ad37e5ebc77b99b91f5b94ef52c76a9a0b07a04d45500c5a7041492ff247abf2aac75823986fbdab1e59aabd6eeb5

Download Submit
C:\Windows\SysWOW64\CMRNDR\AKV.exe

Filesize
456KB

MD5
51507d91d43683b9c4b8fafeb4d888f8

SHA1
ead2f68338da7af4720378cd46133589fc9405ba

SHA256
71b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b

SHA512
a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c

Download Submit
C:\Windows\SysWOW64\CMRNDR\DDF.001

Filesize
61KB

MD5
383d5f5d4240d590e7dec3f7312a4ac7

SHA1
f6bcade8d37afb80cf52a89b3e84683f4643fbce

SHA256
7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

SHA512
e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

Download Submit
C:\Windows\SysWOW64\CMRNDR\DDF.001

Filesize
61KB

MD5
383d5f5d4240d590e7dec3f7312a4ac7

SHA1
f6bcade8d37afb80cf52a89b3e84683f4643fbce

SHA256
7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

SHA512
e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

Download Submit
C:\Windows\SysWOW64\CMRNDR\DDF.002

Filesize
43KB

MD5
93df156c4bd9d7341f4c4a4847616a69

SHA1
c7663b32c3c8e247bc16b51aff87b45484652dc1

SHA256
e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

SHA512
ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

Download Submit
C:\Windows\SysWOW64\CMRNDR\DDF.004

Filesize
1KB

MD5
bab99d6ac91116d1d23a6e2de9cdb0d9

SHA1
2d30dcf884336dcc3ce78ff67430b3385f60d694

SHA256
e50fdaac37687e9b9045ea817af52985410e6ecb77511ee8a77c6afc0ec12260

SHA512
31f2ce13ed3f80066bcb438f820673e0e06934c3a2a3083a6c4c3acd746842d70c8d920f9f010c5794d8d42eef46764056709074f83fb5a8488ac6eb27dcf117

Download Submit
C:\Windows\SysWOW64\CMRNDR\DDF.exe

Filesize
1.7MB

MD5
3cd29c0df98a7aeb69a9692843ca3edb

SHA1
7c86aea093f1979d18901bd1b89a2b02a60ac3e2

SHA256
5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

SHA512
e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

Download Submit
C:\Windows\SysWOW64\CMRNDR\DDF.exe

Filesize
1.7MB

MD5
3cd29c0df98a7aeb69a9692843ca3edb

SHA1
7c86aea093f1979d18901bd1b89a2b02a60ac3e2

SHA256
5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

SHA512
e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

Download Submit
C:\Windows\directx.sys

Filesize
36B

MD5
91d63f63ee6855fe1381b104023a6dd1

SHA1
87d61ab202bcca85c949bf0c5efa9674f12743dc

SHA256
6de3425a071014682288600df11a0a0647e5f009b718d81d90cfbdaa2d20b68c

SHA512
34b26d10c05a8c04f5f22b8b0ee1fb1a557e4c1d137aca0248150f8feb5afc4f27dda1714f8ff54db1509464bdb3f8bb5ecc2291ceeb7d3ebe98d35616492ef6

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
15d8ab38054a766318c235ee74ac10e8

SHA1
836c007d0760f9ba204f73553518004c2d7a6746

SHA256
0a856419b518368cb9945d8bfb2b05fb2763db8a9bca7f5280ca1a487855a4ec

SHA512
b00b269f2f6d020d7ecf422859965691e37083e6f80701c3021f6edb3c2c76ad0261dbf4f2b3877cf9b0604f93430e77bbd7499ad4813bda72462253e3176397

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads