Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5931d4ce44...ec.exe

windows7-x64

10

5931d4ce44...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 16:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5931d4ce4474f475285ae401210118ec.exe

  • Size

    527KB

  • MD5

    5931d4ce4474f475285ae401210118ec

  • SHA1

    6fbc6a2eb5fa01b5df0328e44462c1cfab95da10

  • SHA256

    3143909b3d25371f35a28d55ae07c891a7cf22f1720b1f6ec6cc24d8329e2aed

  • SHA512

    3eee717922cd50349cf563a83ed32931a350a57f54cec371219bc51424f56567a5c1a32945f53f4469cbcee95bd792c90ee6aa81929f9784e8a2d7aea92b899c

  • SSDEEP

    12288:+LAxXLLxMeMR/zKKjCy9/p4SmMFcvjxUeq9d9eGEbGn:Zx36YKjCyPXm1vqeqr9eGEbGn

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5931d4ce4474f475285ae401210118ec.exe
    "C:\Users\Admin\AppData\Local\Temp\5931d4ce4474f475285ae401210118ec.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\YHF\NFHU.exe
      "C:\Windows\system32\YHF\NFHU.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\YHF\AKV.exe
    Filesize

    416KB

    MD5

    4668b7f6816e3af3096c06f5480e5899

    SHA1

    ca2300c38cc073c2e0a9dddfbfec19cc1ccad510

    SHA256

    561bb8440fb91e21a3ce6dcc0ec2d06829003fcd1282d14283451e962bd30fac

    SHA512

    f949fdc2b4158a791a67c7c0a2ebc372668147d98331692887b4e607fd9bdd24d53a79d3934b6fc36980c5034c6d30a7c02fd95d6caa0e868bfa2e1e963ef1c4

    Download Submit

  • C:\Windows\SysWOW64\YHF\NFHU.001
    Filesize

    460B

    MD5

    57559f5612e174beb96dd019d4e817ae

    SHA1

    311347275dd6111584dd9ff62b139930a80ba3ee

    SHA256

    c827ef9d296c0d3fab9bf8b3089f7fe9bf758d187ec6da3c80d3fee42e67fb60

    SHA512

    8e958e4f4d043785f890b61b0ae874fdc5510b0ca014571cb7596e21b8be4d85b14c2e85646d02c5ce460844ed9f029bdaf3a9c8d0ae2b96db8ddc94b75dbc67

    Download Submit

  • C:\Windows\SysWOW64\YHF\NFHU.006
    Filesize

    8KB

    MD5

    8fb07f75858ce780589f73c560bed729

    SHA1

    ceb87f6a61636ea862f3042a18a09dbc89742bba

    SHA256

    dc83deabf925d71c6e8596b33290020ee76ff3fbb909ad3a4e62f6924000f42c

    SHA512

    31964cf1f0add8b98e5a13782867a636aa82a9bbcf24f2c36ca46dda1934fc0d830546c6e46c0b59903a0a29578ddd71b1a5885008f8ab837cb8987f25d9926a

    Download Submit

  • C:\Windows\SysWOW64\YHF\NFHU.007
    Filesize

    5KB

    MD5

    12f0081516d47e47c4296c960fc6beea

    SHA1

    8b3c35d39eefe8b69ec58125a8e755576c5f527d

    SHA256

    b0a9c55e49cc0aa6ebbec533e9c350adce4a78bca6bdbaa3ef5ee70a62eb53b8

    SHA512

    ea90005dd6aa0bfa6a3cb233e4aadb39335bcdaa3722d038273719fcadd7ae71678e25f1e32ef01604a9646f5eee0ae0f6e78fc14869598e27a7b6b8c256daca

    Download Submit

  • \Users\Admin\AppData\Local\Temp\@8037.tmp
    Filesize

    4KB

    MD5

    30bfd4514b7d7bf4feb29fa277a85704

    SHA1

    1de5fcd883a38190e8d3a020ef0b65ee9a8dd62d

    SHA256

    73b7e30ad8c34db793eed457f4845d360e80e08738663f7e40e0f9c217a914c7

    SHA512

    0a8dc5c73272577016830cfb6fad43906f63debee9630456336a08b88740109f2d88e9e79ee5ac14be48c715335bd731d99f9e022c09d1ee73e5b1436645b5b7

    Download Submit

  • \Windows\SysWOW64\YHF\NFHU.exe
    Filesize

    540KB

    MD5

    20b550c5d6d61aa1e1c464d366264c9e

    SHA1

    ee9e349bb73a70d0e6d5e0776dc959ea57f9d96c

    SHA256

    9bfa43a345b1446984cd3e0c20896cc188b3c2c2f21fccb85227a662f38aa1f6

    SHA512

    04f6ad21a0c90ac850c1646ca78a59709f7a9cacdaaab621f1258490df269f5d07e5d063b1d4244792f76360b797df228e476fbbd3419385ffeb7cae7748cc5e

    Download Submit

  • memory/2864-24-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-27-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download