Overview

overview

10

Static

static

56fd3689a9...76.exe

windows7-x64

10

56fd3689a9...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76.exe

  • Size

    2.0MB

  • MD5

    b87e56f89f90b540adbf18d77675e42f

  • SHA1

    e51c15ec3841338438443008a249821dad396eaa

  • SHA256

    56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76

  • SHA512

    fdcaa4678388b00c77dd60b5b64915b29c4e8157a1b58265601f09b07963cc010c0a42d4133ad0a613475cea66acbaeaac752a75c5aa0e4cbb6e818477f2ad38

  • SSDEEP

    49152:625CA3AuHmRtvqP+k7J3N+XgAHNV89ZlG/z:/5CA3A5vqP+k19+XTtClK

Score
10/10
ardamaxkeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76.exe
    "C:\Users\Admin\AppData\Local\Temp\56fd3689a9d2f8bda193d356d09fb7d78aebae34f08caf6427fe81eb27ebbd76.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\ProgramData\SKSXAK\OXF.exe
      "C:\ProgramData\SKSXAK\OXF.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:4848

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SKSXAK\OXF.00
    Filesize

    2KB

    MD5

    0d803033eb48b7a642b5adbf723539b3

    SHA1

    d922449895d309a2e2ed4599978171eb7ccba64c

    SHA256

    845c482ca1e8b7322d786bfa3bb35d12bc05e47fe3ea7de0b106a0ca9d199818

    SHA512

    1460c847a77e720f5103261dc414d0675bbbff27eb4ec62cadaab186f94da089001edfe40f842d94fd33aae081d257fc6e276ebb2c9b4e9b370cfa1ae630752b

    Download Submit

  • C:\ProgramData\SKSXAK\OXF.01
    Filesize

    80KB

    MD5

    29164ede25dc60648de505abcb56a8b4

    SHA1

    a86f81f32b4d990288a3b327eed24b7992fa4669

    SHA256

    d8a042a4466822afc2506456b962e905645753e80c10ac29190fd195f38780b6

    SHA512

    012246c3005c9077a011d877dfdb332a71c810904dbddd0005d1e18e21cf6ebd1e046b00459583d63b1976524bf866b9cf915e47757b4edf8e3fc4ff839317a3

    Download Submit

  • C:\ProgramData\SKSXAK\OXF.01
    Filesize

    80KB

    MD5

    29164ede25dc60648de505abcb56a8b4

    SHA1

    a86f81f32b4d990288a3b327eed24b7992fa4669

    SHA256

    d8a042a4466822afc2506456b962e905645753e80c10ac29190fd195f38780b6

    SHA512

    012246c3005c9077a011d877dfdb332a71c810904dbddd0005d1e18e21cf6ebd1e046b00459583d63b1976524bf866b9cf915e47757b4edf8e3fc4ff839317a3

    Download Submit

  • C:\ProgramData\SKSXAK\OXF.01
    Filesize

    80KB

    MD5

    29164ede25dc60648de505abcb56a8b4

    SHA1

    a86f81f32b4d990288a3b327eed24b7992fa4669

    SHA256

    d8a042a4466822afc2506456b962e905645753e80c10ac29190fd195f38780b6

    SHA512

    012246c3005c9077a011d877dfdb332a71c810904dbddd0005d1e18e21cf6ebd1e046b00459583d63b1976524bf866b9cf915e47757b4edf8e3fc4ff839317a3

    Download Submit

  • C:\ProgramData\SKSXAK\OXF.exe
    Filesize

    2.4MB

    MD5

    53883bf3b374dbacfad4f63e1bad74a6

    SHA1

    0d9bc39013fc23d6c3067832753a700b0f9dd5b1

    SHA256

    02d9764fbcd18dcc3834e030e8beebe15d10dfb8f47fa7bf53160e5b20f7d132

    SHA512

    c9752d46280cd7d1b2ca2413666097f8d3548ac981fd767534e15520622f70a8f3e20fc2f32fcc86a2f8bad919bc0e61cc4b000a8088e8af4699fb71f584287f

    Download Submit

  • C:\ProgramData\SKSXAK\OXF.exe
    Filesize

    2.4MB

    MD5

    53883bf3b374dbacfad4f63e1bad74a6

    SHA1

    0d9bc39013fc23d6c3067832753a700b0f9dd5b1

    SHA256

    02d9764fbcd18dcc3834e030e8beebe15d10dfb8f47fa7bf53160e5b20f7d132

    SHA512

    c9752d46280cd7d1b2ca2413666097f8d3548ac981fd767534e15520622f70a8f3e20fc2f32fcc86a2f8bad919bc0e61cc4b000a8088e8af4699fb71f584287f

    Download Submit

  • memory/4848-133-0x0000000000000000-mapping.dmp

    Download

  • memory/4848-141-0x0000000004190000-0x00000000041A9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4848-142-0x0000000004191000-0x00000000041A0000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4848-143-0x0000000004190000-0x00000000041A9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4984-132-0x0000000000DD0000-0x0000000000FE0000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4984-136-0x0000000000DD0000-0x0000000000FE0000-memory.dmp

    Filesize

    2.1MB

    Download