Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2024 15:57
Static task
static1
Behavioral task
behavioral1
Sample
60493e4baeaf8131d56d7525ffff4e52.exe
Resource
win7-20231215-en
General
-
Target
60493e4baeaf8131d56d7525ffff4e52.exe
-
Size
625KB
-
MD5
60493e4baeaf8131d56d7525ffff4e52
-
SHA1
9b8789cf32e7ca89b3d9ae7795a720aeda66b141
-
SHA256
7bf0f392e1f5a8793eda00b5175adb26f762e30824d1a4c52390693142f5f9cd
-
SHA512
101f68d730f31bbdf682c25ef1c3c10f42b0e32e43410bb5cb612abb1b1fbe76aae0db9742e01d9684cb9100ffbdc0e2d458646f29fdc85c539a8b16645d308f
-
SSDEEP
12288:xrQeD68waYK3G0ySNYv3m9IlQZdOIihbS9PpovLWXiGVYig9sxZV7mrXu+P:m0YKJy/O9IyEdYovCVVLgmHVw5P
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Sys32\BQXP.exe family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
60493e4baeaf8131d56d7525ffff4e52.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 60493e4baeaf8131d56d7525ffff4e52.exe -
Executes dropped EXE 2 IoCs
Processes:
BQXP.exeauto logg on.exepid process 2976 BQXP.exe 4144 auto logg on.exe -
Loads dropped DLL 7 IoCs
Processes:
60493e4baeaf8131d56d7525ffff4e52.exeBQXP.exeauto logg on.exepid process 1712 60493e4baeaf8131d56d7525ffff4e52.exe 2976 BQXP.exe 4144 auto logg on.exe 2976 BQXP.exe 2976 BQXP.exe 4144 auto logg on.exe 4144 auto logg on.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
60493e4baeaf8131d56d7525ffff4e52.exeauto logg on.exeBQXP.exedescription ioc process File created C:\Windows\SysWOW64\Sys32\BQXP.001 60493e4baeaf8131d56d7525ffff4e52.exe File created C:\Windows\SysWOW64\Sys32\BQXP.006 60493e4baeaf8131d56d7525ffff4e52.exe File created C:\Windows\SysWOW64\Sys32\BQXP.007 60493e4baeaf8131d56d7525ffff4e52.exe File created C:\Windows\SysWOW64\Sys32\BQXP.exe 60493e4baeaf8131d56d7525ffff4e52.exe File opened for modification C:\Windows\SysWOW64\Sys32\config.ini auto logg on.exe File opened for modification C:\Windows\SysWOW64\Sys32 BQXP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BQXP.exedescription pid process Token: 33 2976 BQXP.exe Token: SeIncBasePriorityPrivilege 2976 BQXP.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
BQXP.exepid process 2976 BQXP.exe 2976 BQXP.exe 2976 BQXP.exe 2976 BQXP.exe 2976 BQXP.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
60493e4baeaf8131d56d7525ffff4e52.exedescription pid process target process PID 1712 wrote to memory of 2976 1712 60493e4baeaf8131d56d7525ffff4e52.exe BQXP.exe PID 1712 wrote to memory of 2976 1712 60493e4baeaf8131d56d7525ffff4e52.exe BQXP.exe PID 1712 wrote to memory of 2976 1712 60493e4baeaf8131d56d7525ffff4e52.exe BQXP.exe PID 1712 wrote to memory of 4144 1712 60493e4baeaf8131d56d7525ffff4e52.exe auto logg on.exe PID 1712 wrote to memory of 4144 1712 60493e4baeaf8131d56d7525ffff4e52.exe auto logg on.exe PID 1712 wrote to memory of 4144 1712 60493e4baeaf8131d56d7525ffff4e52.exe auto logg on.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe"C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Sys32\BQXP.exe"C:\Windows\system32\Sys32\BQXP.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\auto logg on.exe"C:\Users\Admin\AppData\Local\Temp\auto logg on.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD52bbb6ffc878515a79478917c5af03a9c
SHA152532ea393f3a623c05b2cd72a205da41f152c29
SHA25623c8cc69783ab663e036fb0d15c01b3863ff898d5534fa1d02f16c291863f3a5
SHA512be8846674af43f20501e6fe59fbd369d7393e79970ab1a4fc7c516c491939f575c5e07a1cd284287e8663d1ca2f4e6663839a79f798a7453ecd30bb0fbdcc464
-
Filesize
521KB
MD51a662c851cf2e9390e3e87d8ec3c549e
SHA17828d5f4d109d92ef5c6368dd918bdce64bb3fab
SHA256ce0a722634a28b05e6fd3e15f87bedcd6d6e7e107b0fd5e4ffa7dc89bc0dd4e6
SHA5121192a4c488b02e17d470781d8a92210291013c1b3ac8baa3ee51f53efd18db7049d4aa46860aa33ca37eaf45df8e98a2aeae76e6c720de9898a8e22fdee75618
-
Filesize
414B
MD501e7a23e106468c1552141d071c0d48b
SHA1f44fa04be73a50c7291ae75d0bcbeb60f43248e2
SHA25620d517bddb6fc2c92f702d5b96e6a906fc8d22d72ead84a7fc2b47e1c894f24f
SHA5121e1bbceef10938f31a70f907ac46ad487d4db6812fe3a8857cc1e0ba8e9fadc9e22084188b09839c0aee0096d9cf39f0a2c52191fda3238482eefb27a2a0e882
-
Filesize
7KB
MD5a08026db7b86f2ba69f6317a4a66778b
SHA16afe5979a1ef3ee8b94b6ef4a6bf8a70d641bf62
SHA25690c1300aaa05d24a32f9d01824c611742a10c2bb3e0450504b62282ab658e2f5
SHA512059d6abdb37800f7673d116a0e9a4d2f3e8e7d955a402ef91ca97cf24f3c29121dc36c54599511ac0e04cd2b1467e30fb7b2563e42e2fe43e71560816902207e
-
Filesize
5KB
MD549e240cd2e8fe880e177e208aaf8feea
SHA154e9ee5a7523148542113ee654f00ea13d3ca3d7
SHA256f1b86ba7a2c3aa753966cc67bc5efb4e4badb670b6a0e56ffcfdcbbc379108fc
SHA512e92efd1d0ab3249d6c93b32af0885e22726421055bff36dcf64d307ef2f8aaf2dd06c221342bd5e2a1fadb5d61ac284cd39750cdf1134fd530ba9ff1744d965f
-
Filesize
477KB
MD5db4d88b22f173a37c34477abeea6a789
SHA111c42d2d445c01a408ad947d48927fe2b370aa8c
SHA256251cd62057ee822ad0139fddadd88945ef0951af715eea17ac5faa4b25e17a55
SHA51267501ecf3b474536c3ae0cf68d49672b108b3b509a229f2a8bd4126e2f67228c93e2bbb78379de7dac3bbff6f7495d1d1aeffebb3fa5f8c7a0e29eaac4bce23e