Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
617207e22b773248ac162d3c731d92e2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
617207e22b773248ac162d3c731d92e2.exe
Resource
win10v2004-20231222-en
General
-
Target
617207e22b773248ac162d3c731d92e2.exe
-
Size
479KB
-
MD5
617207e22b773248ac162d3c731d92e2
-
SHA1
541b81ed9648b4fa95b56c78725523b147421f6d
-
SHA256
16d81008d16cebf0bf85757b1e7789e3783584be97ddbbb3d7347323bffe91d7
-
SHA512
f2d435e825ca9a7f57b5db594d52991847f9de6434b8c7c27beaaa298b5fa576ba2fcc6c9598929e1b7e70e00a94edb4acf9cad91754bb09e90a1e56a49c16d4
-
SSDEEP
12288:3sltrW2kAjNf/Ww1J2HXD/rnf3Gf4iLKvu:c/MANXWw1GXDz+LGu
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\28463\AWPB.exe family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
617207e22b773248ac162d3c731d92e2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 617207e22b773248ac162d3c731d92e2.exe -
Executes dropped EXE 1 IoCs
Processes:
AWPB.exepid process 3844 AWPB.exe -
Loads dropped DLL 1 IoCs
Processes:
617207e22b773248ac162d3c731d92e2.exepid process 3528 617207e22b773248ac162d3c731d92e2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AWPB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AWPB Agent = "C:\\Windows\\SysWOW64\\28463\\AWPB.exe" AWPB.exe -
Drops file in System32 directory 5 IoCs
Processes:
617207e22b773248ac162d3c731d92e2.exedescription ioc process File created C:\Windows\SysWOW64\28463\AWPB.exe 617207e22b773248ac162d3c731d92e2.exe File created C:\Windows\SysWOW64\28463\AKV.exe 617207e22b773248ac162d3c731d92e2.exe File created C:\Windows\SysWOW64\28463\AWPB.001 617207e22b773248ac162d3c731d92e2.exe File created C:\Windows\SysWOW64\28463\AWPB.006 617207e22b773248ac162d3c731d92e2.exe File created C:\Windows\SysWOW64\28463\AWPB.007 617207e22b773248ac162d3c731d92e2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
617207e22b773248ac162d3c731d92e2.exedescription pid process target process PID 3528 wrote to memory of 3844 3528 617207e22b773248ac162d3c731d92e2.exe AWPB.exe PID 3528 wrote to memory of 3844 3528 617207e22b773248ac162d3c731d92e2.exe AWPB.exe PID 3528 wrote to memory of 3844 3528 617207e22b773248ac162d3c731d92e2.exe AWPB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe"C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\SysWOW64\28463\AWPB.exe"C:\Windows\system32\28463\AWPB.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55094ea365054fad0ba2635f30d17d463
SHA17977dac5f35a65904230fa4393b2334e846045ac
SHA256b4d3bb2bfc2aa63972c6afc57af1fcec86b732290fc878ffe8a05fb2570ebd44
SHA5125268446665f04eaa1ba960ab2cb6fb962fd146ec00c9eabada7433d3e5750bbf3e2b3fd749be5aa391913c989efb1a676b6cdda46d6ea2e085ecbac3964275cf
-
Filesize
239KB
MD5726be7152a2cb3ae0f5062dcd73cd5f9
SHA1a1826bf9c43996a5476330a01119bdfc8c43e309
SHA2562b330fc78a9cd575b9b9883d89c1309b7281a51a7465c885bf6ffd9cd6b93315
SHA5123e1c2d2ae30c84e9854e3067658cc78f96186d9b129c3c0f4f9e177aae27c9dce6a3e06cbdd8773eab8e3ac2938f1b0e57ac8174497d0dbee02168554650b254
-
Filesize
422B
MD5a5e02f74617ae2b0c0144a25fa512c96
SHA1dcdd47aa7997c84c4c7dafe955ade6be8db63113
SHA256ac615c01e2fd653fe39ecc9ca2577c144f802a13822c714c13e25a1a548bcec8
SHA5125616678a35d4c48c7266e263310c22c1830eaac8530c6f1c82d89980230d375dec3921329703fc648938f9bd4f9d91718b502085c6346c3e5d652b5047e6e3bc
-
Filesize
7KB
MD59debeb853ab5e0f5c22c27bba2577550
SHA11eebd17676eb4f3a568e0127ed73fd93b8f0afc4
SHA2561f515119f19140178848795922412b048bf212afd9c38ebd304cf8346a542d63
SHA51252ac35f8903450da9e6ec61608add625f7bdb3dd7865cc7cf1ad46365ee6c2897cf696a1fdee012a51046358386e1e6efc0ecb116fa34531ea72f08cf3ab1845
-
Filesize
5KB
MD56681a0740cf6b8babb91527991c691a4
SHA1a5a3a93d4f9f664997ba02a1fe8b26f3881c174a
SHA2561efa0be2f1620c92ba910ac6aacbac854c0f89b7bfb3952a7a5bbbb6ba19e0b8
SHA512427ffd43177bcf5c65ce00968f9f8d81079d038811b51f483df802408f68d6a7233f180315c3e5a0e52638f188ab6e69fdb65653c526a4bfb059cebed2bcde56
-
Filesize
472KB
MD55ef5629026bb439c91a3b9ea4fa8e43e
SHA1248726c42e1dee804850afcfebac55351372ee83
SHA2566d9ffbd91d2aae1959e7426ff2031464806df43126f6b460a56f4059f2769177
SHA51278900cd646a071ef81ec56b6611dca598b859ca25f1267523f3bbe220bed8b7a9b3f8e5929fda34791fdb4252e42e31c398ffbf19a63ffee1d68ca65b3d2ba47