Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-01-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
604d424543bc2eb56442f007b79c3ce4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
604d424543bc2eb56442f007b79c3ce4.exe
Resource
win10v2004-20231215-en
General
-
Target
604d424543bc2eb56442f007b79c3ce4.exe
-
Size
1.8MB
-
MD5
604d424543bc2eb56442f007b79c3ce4
-
SHA1
ae8b2394ff498823163346968de336ecf51f76d6
-
SHA256
c6a86f2c27b1250d7dbdabeedfa5edd5e6b3baf1d66955fbe08dec8821864103
-
SHA512
2f01840ebb5094cc83e811f886438dbfcd689c526bed3727dab5525fa7c15eb77c20137e2b67212da2c7cae82e27d19f8c53d50e624cef443b9399a9a211255b
-
SSDEEP
49152:eqxKXBJASciVHSLKi6YwkKrjjFETxNPV:eUKXX5chu91r1up
Malware Config
Signatures
-
Ardamax main executable 5 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\28463\JVTB.exe family_ardamax \Windows\SysWOW64\28463\JVTB.exe family_ardamax \Windows\SysWOW64\28463\JVTB.exe family_ardamax C:\Windows\SysWOW64\28463\JVTB.exe family_ardamax C:\Windows\SysWOW64\28463\JVTB.exe family_ardamax -
Executes dropped EXE 2 IoCs
Processes:
install.exeJVTB.exepid process 2068 install.exe 2704 JVTB.exe -
Loads dropped DLL 6 IoCs
Processes:
install.exeJVTB.exepid process 2068 install.exe 2068 install.exe 2068 install.exe 2704 JVTB.exe 2704 JVTB.exe 2704 JVTB.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
JVTB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JVTB Agent = "C:\\Windows\\SysWOW64\\28463\\JVTB.exe" JVTB.exe -
Drops file in System32 directory 5 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\SysWOW64\28463\JVTB.001 install.exe File created C:\Windows\SysWOW64\28463\JVTB.006 install.exe File created C:\Windows\SysWOW64\28463\JVTB.007 install.exe File created C:\Windows\SysWOW64\28463\JVTB.exe install.exe File created C:\Windows\SysWOW64\28463\AKV.exe install.exe -
Drops file in Windows directory 3 IoCs
Processes:
604d424543bc2eb56442f007b79c3ce4.exeDllHost.exedescription ioc process File created C:\Windows\madruga.jpg 604d424543bc2eb56442f007b79c3ce4.exe File opened for modification C:\Windows\madruga.jpg DllHost.exe File created C:\Windows\install.exe 604d424543bc2eb56442f007b79c3ce4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
DllHost.exepid process 2832 DllHost.exe 2832 DllHost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
604d424543bc2eb56442f007b79c3ce4.exeinstall.exedescription pid process target process PID 1476 wrote to memory of 2068 1476 604d424543bc2eb56442f007b79c3ce4.exe install.exe PID 1476 wrote to memory of 2068 1476 604d424543bc2eb56442f007b79c3ce4.exe install.exe PID 1476 wrote to memory of 2068 1476 604d424543bc2eb56442f007b79c3ce4.exe install.exe PID 1476 wrote to memory of 2068 1476 604d424543bc2eb56442f007b79c3ce4.exe install.exe PID 1476 wrote to memory of 2068 1476 604d424543bc2eb56442f007b79c3ce4.exe install.exe PID 1476 wrote to memory of 2068 1476 604d424543bc2eb56442f007b79c3ce4.exe install.exe PID 1476 wrote to memory of 2068 1476 604d424543bc2eb56442f007b79c3ce4.exe install.exe PID 2068 wrote to memory of 2704 2068 install.exe JVTB.exe PID 2068 wrote to memory of 2704 2068 install.exe JVTB.exe PID 2068 wrote to memory of 2704 2068 install.exe JVTB.exe PID 2068 wrote to memory of 2704 2068 install.exe JVTB.exe PID 2068 wrote to memory of 2704 2068 install.exe JVTB.exe PID 2068 wrote to memory of 2704 2068 install.exe JVTB.exe PID 2068 wrote to memory of 2704 2068 install.exe JVTB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe"C:\Users\Admin\AppData\Local\Temp\604d424543bc2eb56442f007b79c3ce4.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\install.exe"C:\Windows\install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\28463\JVTB.exe"C:\Windows\system32\28463\JVTB.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2704
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22KB
MD532946b57633bf8f0be7ed3b405036a6d
SHA111d943452dfad1cfb80970cd510abab8a1c6545d
SHA256b2040666cd2a7d3b463c3868d215b69460f0503bedb7bba28509319084df0b4a
SHA5125dc0ab44b14dcf4950d219fea7532da2cb7ce1a94842427ddc626273dbbb6eb6649c628fa2b121d444d9e838c08ce6fb2e79a27f20539c4b1051fd86055d05dd
-
Filesize
142KB
MD5c704d029abebad025ce01ff09ab2e315
SHA1110fc7f9cfaf13df9e4b7fa010f38951a817bab2
SHA256d7d3afce72387ab03d8606db30fec04d1075fc291def952040979d797d14bec2
SHA512dc697ece6e5c7c347cdfaddb37a9d602a1377c298efd279e872053587f1a54bd5cb047643dbea7a9f6698863a360f67b41573d667836fd8d6837c9352b92aa82
-
Filesize
468B
MD555c6ac0a5aa9ab07f821d91ebf7fb606
SHA1e3ceaf3558959bf3d67913f9c45f0faf42a08ed6
SHA2566b04dacf865c83a6fabe617459c09d32fb995793852106e9cc0c3e46f2def478
SHA51256d765bef180964060e2237d5b3bc24f4ec41cc6db4e8b1cf77dcbf629122cb8ec51ac41fafcd74b03cff815b8edd6c8ed951795400ca1dced8f366b030bb6f7
-
Filesize
8KB
MD543f02e9974b1477c1e6388882f233db0
SHA1f3e27b231193f8d5b2e1b09d05ae3a62795cf339
SHA2563c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba
SHA512e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f
-
Filesize
5KB
MD5b5a87d630436f958c6e1d82d15f98f96
SHA1d3ff5e92198d4df0f98a918071aca53550bf1cff
SHA256a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2
SHA512fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce
-
Filesize
473KB
MD517535dddecf8cb1efdba1f1952126547
SHA1a862a9a3eb6c201751be1038537522a5281ea6cb
SHA2561a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd
SHA512b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8
-
Filesize
45KB
MD5e0134e5733c7b82849233b07d90a1b52
SHA195cb9b7f93cbf485b2da1f16f7f4167ebec27fb6
SHA25640b390a59d372327232fdc75792b1e1ba4f0f9da58a3f37112319e90d7e15879
SHA512b30713dcab51eb2605f350c0739cf2b5b3ab3a430459b36f3ee2b9b814b115ab628ff790c575c18ff4316fd227a72d18406c5a9efa04daeeacde8378a87ca8ce
-
Filesize
179KB
MD5450ad0eeca53eba0cd3451646aa61da9
SHA126f4ff824275f10d5ee813d578f204113cc17789
SHA2562c915bd282ad880dd1bba9481873f5766f0957d54738074067a0a26c734b8aad
SHA512ace65b899231f6bcbd71be4de6572c93ad0d58fbf38ce80e0579e16ce6b048fe8793e95f1a3d3373e40ae366fdd40ceec1df3a7314b555be7db79b3d19f16a1c
-
Filesize
143KB
MD52138a4744abfbf2dcffcc1aa1514c039
SHA1437bf7f0390bbf99804302c9ce985a8125a85acb
SHA256dfa1f661c89797162e7451f66deea89ec5c9556f6b47b2e0a8292310f95f5156
SHA512d8dd6225d426234c5bc288c00a70d92ffc63e44d156502ff3e567677415e76aa4ad8d5fb0729d312c9a63c093beb9a9cece348a2df08f0c4dbff7f5521f3c22b
-
Filesize
162KB
MD5e0989f1fe0c33462a62ad52ab2df079c
SHA1f6197379ab77debe93fb0d5ea2d85505bb8474d9
SHA256b37a6b128b6d597b56b2ed2cdd7c284e33dc2b57a9b4e3fcd8e483f3f0b9f285
SHA512e84b9ec66e8cfc8f0ebac80174161b4460bbbfe91e719f277c73a1165cb79a6d7643744f97df3e55f9beff74013b44395866ec4a04ec93decb3efd13b044f924
-
Filesize
4KB
MD5c3679c3ff636d1a6b8c65323540da371
SHA1d184758721a426467b687bec2a4acc80fe44c6f8
SHA256d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb
SHA512494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7
-
Filesize
128KB
MD51e6059008388a3072a3f820d341fa570
SHA14eb940e1a7c5293cc0b412bc8c635852fece7b65
SHA256ac34b4bbcd4b8f2600cde6ccc74ca46752998efcfb52164ae4dfc0fe91814963
SHA512e599bd6e378b767096c285796219e00b0db18956b16b40ed0463232f82f1a6561cd5b62eceb9e9743ab5b1b9e733f02a007495bf3b796f1a22ad6536a684a574
-
Filesize
180KB
MD57448dbc3b83583d885fd17642d2ab00a
SHA185ea4bf9f997f6658288608943dc8b8101eefeb7
SHA2565698f9510aa39d82085e6badbfcd7d418257eca45937f117b5cbd386df9bb912
SHA512314c85b07fc24b91677118da6ae32058889e5f7603b5cc256b55cec7af85e29b67b8dd10513bb518f9224b60527a61e4fc965b8bca36e469a5b49b47fe94245e
-
Filesize
132KB
MD507034b11a4001a920987d931d0c6a94f
SHA145e5e68cd0bef3546b2bdd9269d8cf2adbc1f399
SHA2568d815ffbe30876c212c46dcd26e29d4102551122112c9f490e3b188b0af16b9b
SHA51285b05b69e104efbb7f6ec14f1a42e45611c91938818d82915919988136817a82f950322e7e301f43ff8d468fe703c73d616e8913ad75d96d887d761ff3df21c5