Overview

overview

10

Static

static

d148a26303...21.exe

windows7-x64

10

d148a26303...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2022, 17:16

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d148a26303ea4748e863accd03bfdb3b7776ae82a3a4b26e865692dcd976b121.exe

  • Size

    955KB

  • MD5

    6f6f2011786e4aae3c13bb87a9314249

  • SHA1

    b9c627354685e8dbd2ebdbddb13e940321cb702a

  • SHA256

    d148a26303ea4748e863accd03bfdb3b7776ae82a3a4b26e865692dcd976b121

  • SHA512

    9668865aa4e81b3a7911137a632fe718466be138028bb96ebcc991298fb159e81cbe1f7ed08f0bbcdac33e76721642b2bbabd250cbe8eb32c69cdbb4338c86af

  • SSDEEP

    12288:1ayIiDK8G+W3nWsM+s7LxK4QDTi5MU000fXUbAbGqMYF97J4mG65YtyChJG8anzX:Ay28Gb3/sxBQiWU00r1Yxi6+QChMXmbU

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d148a26303ea4748e863accd03bfdb3b7776ae82a3a4b26e865692dcd976b121.exe
    "C:\Users\Admin\AppData\Local\Temp\d148a26303ea4748e863accd03bfdb3b7776ae82a3a4b26e865692dcd976b121.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\Install.html.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.html.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\SysWOW64\WJBIQC\XAO.exe
        "C:\Windows\system32\WJBIQC\XAO.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:920
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\index.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
        3⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:112

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Install.html.exe
          Filesize

          875KB

          MD5

          adc6bc6bb2a66955e3566818515a1d88

          SHA1

          9278dfdd4489b9ee30532f925a33c033a8718e19

          SHA256

          8410195a650888e83dd13e8f2baf69ccb9b8ed6a0f5bff02d30e7d88cf151e87

          SHA512

          58e6122191db5501e2a9179b6cd045e3f698a647b3eb14e5c26945353a6c886bb6a27b431408ce44162858e3292e9079d3edd3a55bab883182e2fc1986fd857e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Install.html.exe
          Filesize

          875KB

          MD5

          adc6bc6bb2a66955e3566818515a1d88

          SHA1

          9278dfdd4489b9ee30532f925a33c033a8718e19

          SHA256

          8410195a650888e83dd13e8f2baf69ccb9b8ed6a0f5bff02d30e7d88cf151e87

          SHA512

          58e6122191db5501e2a9179b6cd045e3f698a647b3eb14e5c26945353a6c886bb6a27b431408ce44162858e3292e9079d3edd3a55bab883182e2fc1986fd857e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\index.html
          Filesize

          1KB

          MD5

          00bc7fb91bd05e5ae44e68e38e8fd367

          SHA1

          8929db703a0c0df29f726b70885318d135464928

          SHA256

          17e9443955c65285a7f33c14acfc35dca5e866b2d42f1445dada8f5a0638840c

          SHA512

          02fad65e3fee9b936552b459aac8545990ba8240aada0449113886e25e45528b5d6850edd1bdc0fefe0ee90b37a14b53533677475eaeb686da50319178df5818

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QI8ZB392.txt
          Filesize

          608B

          MD5

          ceba324851ab473ef1b9c917c010df45

          SHA1

          254e3aea9455b5040f9b5bdd536619256859df3f

          SHA256

          752d85e1b2313e5283356693052a87bf9ac4bb70df2429ea099aae1a36fae809

          SHA512

          375abfcece8b6900e249b0df42a6edb41aafe0f020b4614fa4fcf99846711b5279c59aba0cfa9e52856b0dbabae5f5d4f13d2a009109a939b7ecd49f08c1a098

          Download Submit

        • C:\Windows\SysWOW64\WJBIQC\XAO.001
          Filesize

          61KB

          MD5

          31c866d8e4448c28ae63660a0521cd92

          SHA1

          0e4dcb44e3c8589688b8eacdd8cc463a920baab9

          SHA256

          dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

          SHA512

          1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

          Download Submit

        • C:\Windows\SysWOW64\WJBIQC\XAO.002
          Filesize

          43KB

          MD5

          093e599a1281e943ce1592f61d9591af

          SHA1

          6896810fe9b7efe4f5ae68bf280fec637e97adf5

          SHA256

          1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

          SHA512

          64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

          Download Submit

        • C:\Windows\SysWOW64\WJBIQC\XAO.004
          Filesize

          1KB

          MD5

          38f53c121414607cbbb1b366a96e21dd

          SHA1

          a2d5546db95af94c4d43448fee12cb57fd666a73

          SHA256

          8a08a396e05d29b86ad6891f6b5ac6c1f96b5260862de36292ded9ad95fcf4df

          SHA512

          0d7731f26e0add3ee9f4c3d6aa445ed61ce8a17616eb4a4c47fffb7bb1cccbd769a616cddc70f8f14921b0937f67118d3baa495f1a1817aab279d5341e7c288b

          Download Submit

        • C:\Windows\SysWOW64\WJBIQC\XAO.exe
          Filesize

          1.5MB

          MD5

          0aaffc12ef1b416b9276bdc3fdec9dff

          SHA1

          9f38d7cf6241d867da58f89db9ff26544314b938

          SHA256

          42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

          SHA512

          bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

          Download Submit

        • C:\Windows\SysWOW64\WJBIQC\XAO.exe
          Filesize

          1.5MB

          MD5

          0aaffc12ef1b416b9276bdc3fdec9dff

          SHA1

          9f38d7cf6241d867da58f89db9ff26544314b938

          SHA256

          42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

          SHA512

          bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Install.html.exe
          Filesize

          875KB

          MD5

          adc6bc6bb2a66955e3566818515a1d88

          SHA1

          9278dfdd4489b9ee30532f925a33c033a8718e19

          SHA256

          8410195a650888e83dd13e8f2baf69ccb9b8ed6a0f5bff02d30e7d88cf151e87

          SHA512

          58e6122191db5501e2a9179b6cd045e3f698a647b3eb14e5c26945353a6c886bb6a27b431408ce44162858e3292e9079d3edd3a55bab883182e2fc1986fd857e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Install.html.exe
          Filesize

          875KB

          MD5

          adc6bc6bb2a66955e3566818515a1d88

          SHA1

          9278dfdd4489b9ee30532f925a33c033a8718e19

          SHA256

          8410195a650888e83dd13e8f2baf69ccb9b8ed6a0f5bff02d30e7d88cf151e87

          SHA512

          58e6122191db5501e2a9179b6cd045e3f698a647b3eb14e5c26945353a6c886bb6a27b431408ce44162858e3292e9079d3edd3a55bab883182e2fc1986fd857e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Install.html.exe
          Filesize

          875KB

          MD5

          adc6bc6bb2a66955e3566818515a1d88

          SHA1

          9278dfdd4489b9ee30532f925a33c033a8718e19

          SHA256

          8410195a650888e83dd13e8f2baf69ccb9b8ed6a0f5bff02d30e7d88cf151e87

          SHA512

          58e6122191db5501e2a9179b6cd045e3f698a647b3eb14e5c26945353a6c886bb6a27b431408ce44162858e3292e9079d3edd3a55bab883182e2fc1986fd857e

          Download Submit

        • \Windows\SysWOW64\WJBIQC\XAO.001
          Filesize

          61KB

          MD5

          31c866d8e4448c28ae63660a0521cd92

          SHA1

          0e4dcb44e3c8589688b8eacdd8cc463a920baab9

          SHA256

          dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

          SHA512

          1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

          Download Submit

        • \Windows\SysWOW64\WJBIQC\XAO.001
          Filesize

          61KB

          MD5

          31c866d8e4448c28ae63660a0521cd92

          SHA1

          0e4dcb44e3c8589688b8eacdd8cc463a920baab9

          SHA256

          dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

          SHA512

          1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

          Download Submit

        • \Windows\SysWOW64\WJBIQC\XAO.exe
          Filesize

          1.5MB

          MD5

          0aaffc12ef1b416b9276bdc3fdec9dff

          SHA1

          9f38d7cf6241d867da58f89db9ff26544314b938

          SHA256

          42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

          SHA512

          bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

          Download Submit

        • \Windows\SysWOW64\WJBIQC\XAO.exe
          Filesize

          1.5MB

          MD5

          0aaffc12ef1b416b9276bdc3fdec9dff

          SHA1

          9f38d7cf6241d867da58f89db9ff26544314b938

          SHA256

          42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

          SHA512

          bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

          Download Submit

        • \Windows\SysWOW64\WJBIQC\XAO.exe
          Filesize

          1.5MB

          MD5

          0aaffc12ef1b416b9276bdc3fdec9dff

          SHA1

          9f38d7cf6241d867da58f89db9ff26544314b938

          SHA256

          42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

          SHA512

          bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

          Download Submit

        • memory/1380-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

          Filesize

          8KB

          Download