Overview

overview

10

Static

static

0fad48bdf9...c8.exe

windows7-x64

10

0fad48bdf9...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    386s
  • max time network
    483s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe

  • Size

    2.0MB

  • MD5

    aecbf512a59d00833a625124e053da54

  • SHA1

    93dae325d30a3db903abf76a6c09a5f951191798

  • SHA256

    0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8

  • SHA512

    8120ffe1ba457e7a52a585e1111a4fba28f4b590caa5699f3024815e1e5edc51df1b83edab3d01bbbed587f1283bf7bcb38fcc03605f13ef6ff50e0a54d4aab3

  • SSDEEP

    24576:KOaG6qI2pVmvx0szWSvJIuEEtEQ+eEcWqhGzOOPPJJd3RMiOQ9R6GwsOlx0RtKSn:k2peSsiSJI4ThGz5hkQ9sR0vtMx

Score
10/10
ardamaxkeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe
    "C:\Users\Admin\AppData\Local\Temp\0fad48bdf98148ff3b132664a5ea90472994248c53b32e26fd13942c7dcba6c8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\ProgramData\TADATM\CFL.exe
      "C:\ProgramData\TADATM\CFL.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetWindowsHookEx
      PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\TADATM\CFL.00
    Filesize

    2KB

    MD5

    a30a65acad8116f3ec61bba75e38af2e

    SHA1

    29384692fa6c583ed512b85bde4635982943d017

    SHA256

    9d7153a0f29dc450e6ce8e89ea2faf05e7402ace221e560f4c480c468a53d526

    SHA512

    7eca20d11241a49369b53ff5e53c7f03ab4a2d96351fb14bb5427b4c26fc052193836753feebeaf3ede30cec65a1e3a6c0856f8229cc7c60783d2051a2dc67e2

    Download Submit
  • C:\ProgramData\TADATM\CFL.01
    Filesize

    79KB

    MD5

    7059cdba57a398f80a9afd3de0ffbd07

    SHA1

    082dcc9e258316f67ea5b963bfe1b5f954805b83

    SHA256

    c21c6ddb053617facbb2b409ce521abf27f77d87e9dc90289678e972679bff90

    SHA512

    e879f0f769c975726599feaf9ad8adc9036f8b24911c6baeab13ca1784f0b6cfd0d255f3c29293fd933820d67f4b6a1179a8c0bf2c46ac6f7e88aae593c9b0c0

    Download Submit
  • C:\ProgramData\TADATM\CFL.01
    Filesize

    79KB

    MD5

    7059cdba57a398f80a9afd3de0ffbd07

    SHA1

    082dcc9e258316f67ea5b963bfe1b5f954805b83

    SHA256

    c21c6ddb053617facbb2b409ce521abf27f77d87e9dc90289678e972679bff90

    SHA512

    e879f0f769c975726599feaf9ad8adc9036f8b24911c6baeab13ca1784f0b6cfd0d255f3c29293fd933820d67f4b6a1179a8c0bf2c46ac6f7e88aae593c9b0c0

    Download Submit
  • C:\ProgramData\TADATM\CFL.01
    Filesize

    79KB

    MD5

    7059cdba57a398f80a9afd3de0ffbd07

    SHA1

    082dcc9e258316f67ea5b963bfe1b5f954805b83

    SHA256

    c21c6ddb053617facbb2b409ce521abf27f77d87e9dc90289678e972679bff90

    SHA512

    e879f0f769c975726599feaf9ad8adc9036f8b24911c6baeab13ca1784f0b6cfd0d255f3c29293fd933820d67f4b6a1179a8c0bf2c46ac6f7e88aae593c9b0c0

    Download Submit
  • C:\ProgramData\TADATM\CFL.exe
    Filesize

    2.4MB

    MD5

    3d09e558be6c81f8e5fdde46888944d6

    SHA1

    dc5049c0644285a28321befddaad18201a48d299

    SHA256

    8accbe2830058d2ea436d7a8b7a0e3ae0831d64a716fbf8622055300596ccda7

    SHA512

    8c180a2779c7b076241c09b5ac18a27e66d7e1ada9ef7c37db2ae0cf6754a014cac33dcad202135294f408e0de165996207969448e4f2a4ff114c609a241ca03

    Download Submit
  • C:\ProgramData\TADATM\CFL.exe
    Filesize

    2.4MB

    MD5

    3d09e558be6c81f8e5fdde46888944d6

    SHA1

    dc5049c0644285a28321befddaad18201a48d299

    SHA256

    8accbe2830058d2ea436d7a8b7a0e3ae0831d64a716fbf8622055300596ccda7

    SHA512

    8c180a2779c7b076241c09b5ac18a27e66d7e1ada9ef7c37db2ae0cf6754a014cac33dcad202135294f408e0de165996207969448e4f2a4ff114c609a241ca03

    Download Submit
  • memory/2380-133-0x0000000000000000-mapping.dmp
    Download
  • memory/2380-141-0x0000000000DD0000-0x0000000000DE9000-memory.dmp
    Filesize

    100KB

    Download
  • memory/2380-142-0x0000000000DD1000-0x0000000000DE0000-memory.dmp
    Filesize

    60KB

    Download
  • memory/2380-143-0x0000000000DD0000-0x0000000000DE9000-memory.dmp
    Filesize

    100KB

    Download
  • memory/4404-132-0x0000000000D50000-0x0000000000F54000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4404-136-0x0000000000D50000-0x0000000000F54000-memory.dmp
    Filesize

    2.0MB

    Download