Overview

overview

10

Static

static

3

156067e558...8f.exe

windows7-x64

10

156067e558...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2023 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    156067e5583afafc607ea837402fb88f.exe

  • Size

    875KB

  • MD5

    156067e5583afafc607ea837402fb88f

  • SHA1

    0bea670e69354934028a424ff3824367e2369b31

  • SHA256

    cfe4a6f34c8d3a9fe0005d0816bf1624b2f465346a58afc16194e47c45a00e14

  • SHA512

    1a35525f45112bd6910e56df852e640c5c8c4bd9be177cd54bc6329b25af8e34a882c671a49ce8d9dede49ce61782c12e24a0fcde9f29f82e72d7c5f0d5973c0

  • SSDEEP

    12288:PJkXzV5eHqyxZNXdCTSmHE3TKIsZePdh0RaqZGTV26xGku+tj7ZueWUpfMa:hyDelZNITHm+I/3qZGTU4Gku+tfZ2+Ea

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\156067e5583afafc607ea837402fb88f.exe
    "C:\Users\Admin\AppData\Local\Temp\156067e5583afafc607ea837402fb88f.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\SysWOW64\28463\GHFI.exe
      "C:\Windows\system32\28463\GHFI.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4380
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\P4uLo Trainer 3.0.rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@172.tmp
    Filesize

    4KB

    MD5

    67ce8b2ea53b0aa6ec6213a2b62b9d95

    SHA1

    e4ac32be20e72d1c12d0ba6919d5fd209a85d009

    SHA256

    2daed63cd25eb939ae46c5a1caf7fe07bde609a859720884b51d324ff45fc4f6

    SHA512

    760bef7efb0750d860909f2c92ef2190d7a63b8d07d83ba17997a2cd5c92f509f6c645d86bfbf22c3baff8ebabbf14856f8f4998b9d7132db19785190071c29e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\P4uLo Trainer 3.0.rar
    Filesize

    342KB

    MD5

    9383a2b1321cbb56dc1ce34244f512ae

    SHA1

    9da1f0af76010f9f83112b82d18a201b32f44760

    SHA256

    ba62967e4a57e8d1f28e28b5b0302ebca5bbd1f78d72c7c5ac2ded36e7d8d462

    SHA512

    85f0173dbb9e8656556585a7c2ee2e96c1d92946865abd695fa5f167ab0282786e84efded02902aaea35ab5f50df8ebee55f7c77c0abf40d299162e12b76690d

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    393KB

    MD5

    1533823edeb16a2f6130b0eac0a74b1a

    SHA1

    c00306974e0acda509d547d8947abbd19e848827

    SHA256

    e330dedede24e626c90b2894697df4d81228d583203b80775de310dd315f6a9a

    SHA512

    2d72b0b822de528943348881aa2f0855ef4d306df52f343ebbd8d8b8845da4a79a01efd88c1abf7645e4a72c4069d6d5d4c4d85f1dcd580ac61a9e2657303a87

    Download Submit

  • C:\Windows\SysWOW64\28463\GHFI.001
    Filesize

    486B

    MD5

    3533588d0433e957fdc31080fe814416

    SHA1

    19522ef0f7f93d1494d9f1919ae7568c0500ef3a

    SHA256

    0c766b7c5e708aebdca2e669c398dc6cf89de7e99d13ed39cb8f939824100438

    SHA512

    c4983cf92d437922992f8c2c843111db6d2df61f23c9893e1c0cba0540a82af7d900c51b39cfff2f932bc18b753dc3acf97b937d3289c8bc2e3df6e51d236cdb

    Download Submit

  • C:\Windows\SysWOW64\28463\GHFI.006
    Filesize

    7KB

    MD5

    9bb764979044a263709a095f707fbf7f

    SHA1

    6a6ff5611d93c860401b165ff85957fbb340f14c

    SHA256

    6f55fcdfbdba9aef5252dfbb9a0f1ac9c83dac472659223ae5a7840484e2d95b

    SHA512

    a764c11ce03910f372ab7a19f251dbfcd369ad59a7e19b8f1a5825ef44f263d0c693f6bb69332bcb545ea397fc10497cbe4a83402a60971a07bdeb01ce19c057

    Download Submit

  • C:\Windows\SysWOW64\28463\GHFI.007
    Filesize

    5KB

    MD5

    c14f089be45a2669a608c0cb4b5ed402

    SHA1

    6c3168f0af173afbc295848ad1bdb480c510097c

    SHA256

    dfd377848164271d02259d4481e7978a12392f71f7bcadaecae247d962127d08

    SHA512

    3c3bc020b74bd76eaa7b5fe577371fef420a62afa9512ef6a0d148b902fe98f8372358ab0f1213e389ad44d52a631ed117a6921be51d66734059cbfdef33ead9

    Download Submit

  • C:\Windows\SysWOW64\28463\GHFI.exe
    Filesize

    472KB

    MD5

    a10c0ee1f0006cd3f58809ee8a6ab81f

    SHA1

    c4dcb5bffaaea97f7c6d850905a03c001a452d9a

    SHA256

    9ae3fe10cb437ef5f98a8731c63cd21a3a0791d231428bd264422acd4b57268f

    SHA512

    ece264bd37989f52bef0446f378b9c7f2d9f8b6af52cf9ba9234540b2a51b3b0faaa7f3e99ee854371a91650105660deeb0748a82d29733b5f69de15ba8a4157

    Download Submit

  • memory/4380-23-0x0000000000910000-0x0000000000911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4380-30-0x0000000000910000-0x0000000000911000-memory.dmp

    Filesize

    4KB

    Download