Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-01-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
617207e22b773248ac162d3c731d92e2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
617207e22b773248ac162d3c731d92e2.exe
Resource
win10v2004-20231222-en
General
-
Target
617207e22b773248ac162d3c731d92e2.exe
-
Size
479KB
-
MD5
617207e22b773248ac162d3c731d92e2
-
SHA1
541b81ed9648b4fa95b56c78725523b147421f6d
-
SHA256
16d81008d16cebf0bf85757b1e7789e3783584be97ddbbb3d7347323bffe91d7
-
SHA512
f2d435e825ca9a7f57b5db594d52991847f9de6434b8c7c27beaaa298b5fa576ba2fcc6c9598929e1b7e70e00a94edb4acf9cad91754bb09e90a1e56a49c16d4
-
SSDEEP
12288:3sltrW2kAjNf/Ww1J2HXD/rnf3Gf4iLKvu:c/MANXWw1GXDz+LGu
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\28463\AWPB.exe family_ardamax -
Executes dropped EXE 1 IoCs
Processes:
AWPB.exepid process 2092 AWPB.exe -
Loads dropped DLL 3 IoCs
Processes:
617207e22b773248ac162d3c731d92e2.exepid process 2964 617207e22b773248ac162d3c731d92e2.exe 2964 617207e22b773248ac162d3c731d92e2.exe 2964 617207e22b773248ac162d3c731d92e2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AWPB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AWPB Agent = "C:\\Windows\\SysWOW64\\28463\\AWPB.exe" AWPB.exe -
Drops file in System32 directory 5 IoCs
Processes:
617207e22b773248ac162d3c731d92e2.exedescription ioc process File created C:\Windows\SysWOW64\28463\AWPB.001 617207e22b773248ac162d3c731d92e2.exe File created C:\Windows\SysWOW64\28463\AWPB.006 617207e22b773248ac162d3c731d92e2.exe File created C:\Windows\SysWOW64\28463\AWPB.007 617207e22b773248ac162d3c731d92e2.exe File created C:\Windows\SysWOW64\28463\AWPB.exe 617207e22b773248ac162d3c731d92e2.exe File created C:\Windows\SysWOW64\28463\AKV.exe 617207e22b773248ac162d3c731d92e2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
617207e22b773248ac162d3c731d92e2.exedescription pid process target process PID 2964 wrote to memory of 2092 2964 617207e22b773248ac162d3c731d92e2.exe AWPB.exe PID 2964 wrote to memory of 2092 2964 617207e22b773248ac162d3c731d92e2.exe AWPB.exe PID 2964 wrote to memory of 2092 2964 617207e22b773248ac162d3c731d92e2.exe AWPB.exe PID 2964 wrote to memory of 2092 2964 617207e22b773248ac162d3c731d92e2.exe AWPB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe"C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\28463\AWPB.exe"C:\Windows\system32\28463\AWPB.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
393KB
MD5fd763aa6397099f2b9433e151f3ee240
SHA17ce5738891dd6ab99e703a2e9aba7a34e82c5c1a
SHA2569192b775120d88affe9f86c0b3a8eebdea468e6ed868340f70f1dcd824daa70f
SHA51292e9d17a2c19f31d7155c9cd7f0786e613050a1cdb3c5db40b53271e835b0ab54af014a443f44d083ebc12678abaa19a342424c14f5ea9dfab14e9d5c5e7fab5
-
Filesize
422B
MD5a5e02f74617ae2b0c0144a25fa512c96
SHA1dcdd47aa7997c84c4c7dafe955ade6be8db63113
SHA256ac615c01e2fd653fe39ecc9ca2577c144f802a13822c714c13e25a1a548bcec8
SHA5125616678a35d4c48c7266e263310c22c1830eaac8530c6f1c82d89980230d375dec3921329703fc648938f9bd4f9d91718b502085c6346c3e5d652b5047e6e3bc
-
Filesize
7KB
MD59debeb853ab5e0f5c22c27bba2577550
SHA11eebd17676eb4f3a568e0127ed73fd93b8f0afc4
SHA2561f515119f19140178848795922412b048bf212afd9c38ebd304cf8346a542d63
SHA51252ac35f8903450da9e6ec61608add625f7bdb3dd7865cc7cf1ad46365ee6c2897cf696a1fdee012a51046358386e1e6efc0ecb116fa34531ea72f08cf3ab1845
-
Filesize
5KB
MD56681a0740cf6b8babb91527991c691a4
SHA1a5a3a93d4f9f664997ba02a1fe8b26f3881c174a
SHA2561efa0be2f1620c92ba910ac6aacbac854c0f89b7bfb3952a7a5bbbb6ba19e0b8
SHA512427ffd43177bcf5c65ce00968f9f8d81079d038811b51f483df802408f68d6a7233f180315c3e5a0e52638f188ab6e69fdb65653c526a4bfb059cebed2bcde56
-
Filesize
4KB
MD55094ea365054fad0ba2635f30d17d463
SHA17977dac5f35a65904230fa4393b2334e846045ac
SHA256b4d3bb2bfc2aa63972c6afc57af1fcec86b732290fc878ffe8a05fb2570ebd44
SHA5125268446665f04eaa1ba960ab2cb6fb962fd146ec00c9eabada7433d3e5750bbf3e2b3fd749be5aa391913c989efb1a676b6cdda46d6ea2e085ecbac3964275cf
-
Filesize
472KB
MD55ef5629026bb439c91a3b9ea4fa8e43e
SHA1248726c42e1dee804850afcfebac55351372ee83
SHA2566d9ffbd91d2aae1959e7426ff2031464806df43126f6b460a56f4059f2769177
SHA51278900cd646a071ef81ec56b6611dca598b859ca25f1267523f3bbe220bed8b7a9b3f8e5929fda34791fdb4252e42e31c398ffbf19a63ffee1d68ca65b3d2ba47