Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2024 15:57

General

  • Target

    60493e4baeaf8131d56d7525ffff4e52.exe

  • Size

    625KB

  • MD5

    60493e4baeaf8131d56d7525ffff4e52

  • SHA1

    9b8789cf32e7ca89b3d9ae7795a720aeda66b141

  • SHA256

    7bf0f392e1f5a8793eda00b5175adb26f762e30824d1a4c52390693142f5f9cd

  • SHA512

    101f68d730f31bbdf682c25ef1c3c10f42b0e32e43410bb5cb612abb1b1fbe76aae0db9742e01d9684cb9100ffbdc0e2d458646f29fdc85c539a8b16645d308f

  • SSDEEP

    12288:xrQeD68waYK3G0ySNYv3m9IlQZdOIihbS9PpovLWXiGVYig9sxZV7mrXu+P:m0YKJy/O9IyEdYovCVVLgmHVw5P

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe
    "C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\Sys32\BQXP.exe
      "C:\Windows\system32\Sys32\BQXP.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2656
    • C:\Users\Admin\AppData\Local\Temp\auto logg on.exe
      "C:\Users\Admin\AppData\Local\Temp\auto logg on.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Sys32\BQXP.001

    Filesize

    414B

    MD5

    01e7a23e106468c1552141d071c0d48b

    SHA1

    f44fa04be73a50c7291ae75d0bcbeb60f43248e2

    SHA256

    20d517bddb6fc2c92f702d5b96e6a906fc8d22d72ead84a7fc2b47e1c894f24f

    SHA512

    1e1bbceef10938f31a70f907ac46ad487d4db6812fe3a8857cc1e0ba8e9fadc9e22084188b09839c0aee0096d9cf39f0a2c52191fda3238482eefb27a2a0e882

  • C:\Windows\SysWOW64\Sys32\BQXP.006

    Filesize

    7KB

    MD5

    a08026db7b86f2ba69f6317a4a66778b

    SHA1

    6afe5979a1ef3ee8b94b6ef4a6bf8a70d641bf62

    SHA256

    90c1300aaa05d24a32f9d01824c611742a10c2bb3e0450504b62282ab658e2f5

    SHA512

    059d6abdb37800f7673d116a0e9a4d2f3e8e7d955a402ef91ca97cf24f3c29121dc36c54599511ac0e04cd2b1467e30fb7b2563e42e2fe43e71560816902207e

  • C:\Windows\SysWOW64\Sys32\BQXP.007

    Filesize

    5KB

    MD5

    49e240cd2e8fe880e177e208aaf8feea

    SHA1

    54e9ee5a7523148542113ee654f00ea13d3ca3d7

    SHA256

    f1b86ba7a2c3aa753966cc67bc5efb4e4badb670b6a0e56ffcfdcbbc379108fc

    SHA512

    e92efd1d0ab3249d6c93b32af0885e22726421055bff36dcf64d307ef2f8aaf2dd06c221342bd5e2a1fadb5d61ac284cd39750cdf1134fd530ba9ff1744d965f

  • \Users\Admin\AppData\Local\Temp\@424E.tmp

    Filesize

    4KB

    MD5

    2bbb6ffc878515a79478917c5af03a9c

    SHA1

    52532ea393f3a623c05b2cd72a205da41f152c29

    SHA256

    23c8cc69783ab663e036fb0d15c01b3863ff898d5534fa1d02f16c291863f3a5

    SHA512

    be8846674af43f20501e6fe59fbd369d7393e79970ab1a4fc7c516c491939f575c5e07a1cd284287e8663d1ca2f4e6663839a79f798a7453ecd30bb0fbdcc464

  • \Users\Admin\AppData\Local\Temp\auto logg on.exe

    Filesize

    521KB

    MD5

    1a662c851cf2e9390e3e87d8ec3c549e

    SHA1

    7828d5f4d109d92ef5c6368dd918bdce64bb3fab

    SHA256

    ce0a722634a28b05e6fd3e15f87bedcd6d6e7e107b0fd5e4ffa7dc89bc0dd4e6

    SHA512

    1192a4c488b02e17d470781d8a92210291013c1b3ac8baa3ee51f53efd18db7049d4aa46860aa33ca37eaf45df8e98a2aeae76e6c720de9898a8e22fdee75618

  • \Windows\SysWOW64\Sys32\BQXP.exe

    Filesize

    477KB

    MD5

    db4d88b22f173a37c34477abeea6a789

    SHA1

    11c42d2d445c01a408ad947d48927fe2b370aa8c

    SHA256

    251cd62057ee822ad0139fddadd88945ef0951af715eea17ac5faa4b25e17a55

    SHA512

    67501ecf3b474536c3ae0cf68d49672b108b3b509a229f2a8bd4126e2f67228c93e2bbb78379de7dac3bbff6f7495d1d1aeffebb3fa5f8c7a0e29eaac4bce23e

  • memory/2656-21-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/2656-37-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/2712-36-0x0000000077BDF000-0x0000000077BE0000-memory.dmp

    Filesize

    4KB