Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

156067e558...8f.exe

windows7-x64

10

156067e558...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    156067e5583afafc607ea837402fb88f.exe

  • Size

    875KB

  • MD5

    156067e5583afafc607ea837402fb88f

  • SHA1

    0bea670e69354934028a424ff3824367e2369b31

  • SHA256

    cfe4a6f34c8d3a9fe0005d0816bf1624b2f465346a58afc16194e47c45a00e14

  • SHA512

    1a35525f45112bd6910e56df852e640c5c8c4bd9be177cd54bc6329b25af8e34a882c671a49ce8d9dede49ce61782c12e24a0fcde9f29f82e72d7c5f0d5973c0

  • SSDEEP

    12288:PJkXzV5eHqyxZNXdCTSmHE3TKIsZePdh0RaqZGTV26xGku+tj7ZueWUpfMa:hyDelZNITHm+I/3qZGTU4Gku+tfZ2+Ea

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\156067e5583afafc607ea837402fb88f.exe
    "C:\Users\Admin\AppData\Local\Temp\156067e5583afafc607ea837402fb88f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\28463\GHFI.exe
      "C:\Windows\system32\28463\GHFI.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2484
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\P4uLo Trainer 3.0.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\28463\GHFI.exe
    Filesize

    472KB

    MD5

    a10c0ee1f0006cd3f58809ee8a6ab81f

    SHA1

    c4dcb5bffaaea97f7c6d850905a03c001a452d9a

    SHA256

    9ae3fe10cb437ef5f98a8731c63cd21a3a0791d231428bd264422acd4b57268f

    SHA512

    ece264bd37989f52bef0446f378b9c7f2d9f8b6af52cf9ba9234540b2a51b3b0faaa7f3e99ee854371a91650105660deeb0748a82d29733b5f69de15ba8a4157

    Download Submit

  • C:\Windows\SysWOW64\28463\GHFI.exe
    Filesize

    211KB

    MD5

    74d666448dbc7f72abd4a832d1f8e1dd

    SHA1

    05033854c4893bc225fd31f597dbba74b98bb071

    SHA256

    f17328987d18ada4eadb5e37865a4697219ae89e47f0c8b9df873ffeddc633b7

    SHA512

    a3d7c3f0c42999408fd27195529c43578031ef7e6ff7e34eef1a4a3901ef5cd70f7ac66660f6f2a3c962ad82f2dc7c9e416ef21e242aff041e1fe455866dccbe

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@1362.tmp
    Filesize

    4KB

    MD5

    67ce8b2ea53b0aa6ec6213a2b62b9d95

    SHA1

    e4ac32be20e72d1c12d0ba6919d5fd209a85d009

    SHA256

    2daed63cd25eb939ae46c5a1caf7fe07bde609a859720884b51d324ff45fc4f6

    SHA512

    760bef7efb0750d860909f2c92ef2190d7a63b8d07d83ba17997a2cd5c92f509f6c645d86bfbf22c3baff8ebabbf14856f8f4998b9d7132db19785190071c29e

    Download Submit

  • \Windows\SysWOW64\28463\GHFI.exe
    Filesize

    384KB

    MD5

    b04acb9f50a89f7f02af2573a8718477

    SHA1

    9638255b1aea48674280edec9cebb068df9cf6b5

    SHA256

    4326a03f8a12090a86f2a87fb2b9810f3c4c814f12bf3cca02d6526ae2342a38

    SHA512

    374a73311a35727cc599433461c1e0654d83ff35aa7c7dc2fa89b7bdfe69cdafcdf2d9da337ff49823ee25f0995b0d2ac4728af738f9778509acafb8ba2252a2

    Download Submit

  • \Windows\SysWOW64\28463\GHFI.exe
    Filesize

    290KB

    MD5

    e068785975650c0240de3ff2b519a997

    SHA1

    e1b0c58701e28db4a457c6ee7c7519ac88df59b0

    SHA256

    6b107c007646bab2ac374e4d7dab29a09e7b076462d8110e7b60600939f9c18a

    SHA512

    8a058a94200dbc621b453647dbbe9a3a31014b336e2f5d155c23f29b473caf5356966217ed6493bc27597a2f24f5768195210ebf5eecce03820949d6d0c81d32

    Download Submit

  • memory/2484-25-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download