Overview

overview

10

Static

static

PT2.exe

windows7-x64

10

PT2.exe

windows10-2004-x64

10

ho tro.exe

windows7-x64

1

ho tro.exe

windows10-2004-x64

1

hotro.dll

windows7-x64

1

hotro.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PT2.exe

  • Size

    2.0MB

  • MD5

    3b5d02a465997d981ea5c9684cda7def

  • SHA1

    ef02b7170c64531618291491109d838762455625

  • SHA256

    99b771a89d4b9c820ce279e2a56ce9572848a42dd3076e66e1cc2494531688a5

  • SHA512

    5c6ee43049034101c6d6fe3ff9f21b5a54bddc80fe100f4dea97d26b06ee4bbb0c0cce0fe104f9e1de3d0ceef36d21fe7f0c4436ee4996c00d4c78d4d75e72cc

  • SSDEEP

    49152:CoJ9Nyhdl0L7VKYvKpATtnweNjk+fJgHFJlIcqpd:gl27jvKpATtwe7Bsick

Score
10/10
ardamaxkeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PT2.exe
    "C:\Users\Admin\AppData\Local\Temp\PT2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\ProgramData\VOFIOJ\UJV.exe
      "C:\ProgramData\VOFIOJ\UJV.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~3\VOFIOJ\UJV.exe > nul
        3⤵
          PID:1872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\VOFIOJ\UJV.00
      Filesize

      2KB

      MD5

      e613bd44480e9951d2267e72d12d0d63

      SHA1

      9ea9d6f7992593fc95caa2d55c8f4ef4e0cf53b8

      SHA256

      9f0fcbb98a7709f9398152f894dc6c07272383b3d1becd0e1b85cb0d397b8427

      SHA512

      6980e464418e012f4b0ec2938e758c684df97b9237e7fcf971e6333742a5cf18f5198a2d5b7c99cfe4a068c5c0f3b35f46c78b24bb491e2af636dcec0f663bb0

      Download Submit
    • C:\ProgramData\VOFIOJ\UJV.01
      Filesize

      79KB

      MD5

      87b3b2ba61b2aed49ff80bbec78fc58c

      SHA1

      5316ae2e8751a256f1d51fe0cc42cdb9a9356863

      SHA256

      1950d033b108bec6bdcca39d2b61dfef4f0dc605ac2a39abea5792bff6720fe1

      SHA512

      ac575540183d6c6d16a4e04586a64cb7fe27797b120dc24a7cd856f990ce0c0b89f54eaa21efd4ca318133547a4399590c0ec5f6360d353edda9d6eeb374bdd4

      Download Submit
    • C:\ProgramData\VOFIOJ\UJV.01
      Filesize

      79KB

      MD5

      87b3b2ba61b2aed49ff80bbec78fc58c

      SHA1

      5316ae2e8751a256f1d51fe0cc42cdb9a9356863

      SHA256

      1950d033b108bec6bdcca39d2b61dfef4f0dc605ac2a39abea5792bff6720fe1

      SHA512

      ac575540183d6c6d16a4e04586a64cb7fe27797b120dc24a7cd856f990ce0c0b89f54eaa21efd4ca318133547a4399590c0ec5f6360d353edda9d6eeb374bdd4

      Download Submit
    • C:\ProgramData\VOFIOJ\UJV.01
      Filesize

      79KB

      MD5

      87b3b2ba61b2aed49ff80bbec78fc58c

      SHA1

      5316ae2e8751a256f1d51fe0cc42cdb9a9356863

      SHA256

      1950d033b108bec6bdcca39d2b61dfef4f0dc605ac2a39abea5792bff6720fe1

      SHA512

      ac575540183d6c6d16a4e04586a64cb7fe27797b120dc24a7cd856f990ce0c0b89f54eaa21efd4ca318133547a4399590c0ec5f6360d353edda9d6eeb374bdd4

      Download Submit
    • C:\ProgramData\VOFIOJ\UJV.02
      Filesize

      54KB

      MD5

      6dcc15c5e6cc541c96c2277f3ef1f7f0

      SHA1

      d4b8de412f6fca7114d4f07a5a61ee8588deaab7

      SHA256

      d9454df000e02f2bf8334c2c9db631d1a9a84a07d7a9aa9f760d0a79328188d1

      SHA512

      7451633007d8ddbbbebca7a6aa9635a6201e8144404693e9ff47294081355872a223e1c6aa769359b8d8a928d5de72a655fd4aac0c786a260b4d44acb1c36f9b

      Download Submit
    • C:\ProgramData\VOFIOJ\UJV.exe
      Filesize

      2.4MB

      MD5

      4b53869b34fc792d373f564223f62ccb

      SHA1

      10e578a46eeaae0998950c9b0a3613de1f4ee49d

      SHA256

      1835db40ad9d8329dd38fbe1c04b427ce36c13cb3ad8e6a36f45c614c64c49be

      SHA512

      68c080a40f53f7ac5795f30b760645fbeaae04b67621f86df83deeb267d8ba3dfc5d2ba993e1b27236ee6a6e6af02231a2e7d3ca10695680462289c340005172

      Download Submit
    • C:\ProgramData\VOFIOJ\UJV.exe
      Filesize

      2.4MB

      MD5

      4b53869b34fc792d373f564223f62ccb

      SHA1

      10e578a46eeaae0998950c9b0a3613de1f4ee49d

      SHA256

      1835db40ad9d8329dd38fbe1c04b427ce36c13cb3ad8e6a36f45c614c64c49be

      SHA512

      68c080a40f53f7ac5795f30b760645fbeaae04b67621f86df83deeb267d8ba3dfc5d2ba993e1b27236ee6a6e6af02231a2e7d3ca10695680462289c340005172

      Download Submit
    • memory/344-132-0x0000000000000000-mapping.dmp
      Download
    • memory/344-139-0x0000000002650000-0x0000000002669000-memory.dmp
      Filesize

      100KB

      Download
    • memory/1872-141-0x0000000000000000-mapping.dmp
      Download