Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17-01-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
61c7407f12837bb4ea4c2de526f7364d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
61c7407f12837bb4ea4c2de526f7364d.exe
Resource
win10v2004-20231215-en
General
-
Target
61c7407f12837bb4ea4c2de526f7364d.exe
-
Size
1.2MB
-
MD5
61c7407f12837bb4ea4c2de526f7364d
-
SHA1
59a0a43e43c9d9e814b03ef5a0126577dccb8dbd
-
SHA256
4f0d2ffbc946083e38333012faa1132ff7f2479760819a1d5a05bd80777e50fc
-
SHA512
838bf7bfa17e5125980d067724330cb73aae41ed07bc46ca107898daa7e1ecbc18b2d5d51f2de412a765068c07ccee138d37785634cf0e478ae863f18cbf4caf
-
SSDEEP
24576:oU4oT7xcVaXEc/GbylnRj9n6b26FIufDR1cXY3Vw6fASyWV5onrqMLhvV5Ncc0Wz:oULTOSnMylh96b2cIsR6YFzfANWuhruk
Malware Config
Signatures
-
Ardamax main executable 3 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\GQULCE\AAL.exe family_ardamax \Windows\SysWOW64\GQULCE\AAL.exe family_ardamax C:\Windows\SysWOW64\GQULCE\AAL.exe family_ardamax -
Executes dropped EXE 1 IoCs
Processes:
AAL.exepid process 2300 AAL.exe -
Loads dropped DLL 4 IoCs
Processes:
61c7407f12837bb4ea4c2de526f7364d.exeAAL.exeNOTEPAD.EXEpid process 2648 61c7407f12837bb4ea4c2de526f7364d.exe 2300 AAL.exe 2648 61c7407f12837bb4ea4c2de526f7364d.exe 2780 NOTEPAD.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AAL.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AAL Start = "C:\\Windows\\SysWOW64\\GQULCE\\AAL.exe" AAL.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
61c7407f12837bb4ea4c2de526f7364d.exeAAL.exedescription ioc process File created C:\Windows\SysWOW64\GQULCE\AAL.004 61c7407f12837bb4ea4c2de526f7364d.exe File created C:\Windows\SysWOW64\GQULCE\AAL.001 61c7407f12837bb4ea4c2de526f7364d.exe File created C:\Windows\SysWOW64\GQULCE\AAL.002 61c7407f12837bb4ea4c2de526f7364d.exe File created C:\Windows\SysWOW64\GQULCE\AKV.exe 61c7407f12837bb4ea4c2de526f7364d.exe File created C:\Windows\SysWOW64\GQULCE\AAL.exe 61c7407f12837bb4ea4c2de526f7364d.exe File opened for modification C:\Windows\SysWOW64\GQULCE\ AAL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
AAL.exedescription pid process Token: 33 2300 AAL.exe Token: SeIncBasePriorityPrivilege 2300 AAL.exe Token: SeIncBasePriorityPrivilege 2300 AAL.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AAL.exepid process 2300 AAL.exe 2300 AAL.exe 2300 AAL.exe 2300 AAL.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
61c7407f12837bb4ea4c2de526f7364d.exeAAL.exedescription pid process target process PID 2648 wrote to memory of 2300 2648 61c7407f12837bb4ea4c2de526f7364d.exe AAL.exe PID 2648 wrote to memory of 2300 2648 61c7407f12837bb4ea4c2de526f7364d.exe AAL.exe PID 2648 wrote to memory of 2300 2648 61c7407f12837bb4ea4c2de526f7364d.exe AAL.exe PID 2648 wrote to memory of 2300 2648 61c7407f12837bb4ea4c2de526f7364d.exe AAL.exe PID 2648 wrote to memory of 2780 2648 61c7407f12837bb4ea4c2de526f7364d.exe NOTEPAD.EXE PID 2648 wrote to memory of 2780 2648 61c7407f12837bb4ea4c2de526f7364d.exe NOTEPAD.EXE PID 2648 wrote to memory of 2780 2648 61c7407f12837bb4ea4c2de526f7364d.exe NOTEPAD.EXE PID 2648 wrote to memory of 2780 2648 61c7407f12837bb4ea4c2de526f7364d.exe NOTEPAD.EXE PID 2300 wrote to memory of 2332 2300 AAL.exe cmd.exe PID 2300 wrote to memory of 2332 2300 AAL.exe cmd.exe PID 2300 wrote to memory of 2332 2300 AAL.exe cmd.exe PID 2300 wrote to memory of 2332 2300 AAL.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\GQULCE\AAL.exe"C:\Windows\system32\GQULCE\AAL.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\GQULCE\AAL.exe > nul3⤵PID:2332
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt2⤵
- Loads dropped DLL
PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31B
MD5f18bcc7084002b55c9c34a8214b5a055
SHA19d95f2fd61d24840a31dfce2d9a872cf04fc9f7c
SHA256787ae0a8898f2faeafdd0cf90f3b6ae3badf87c10335e36431a21c1f59ff6027
SHA512ff13fbcb2a720c5ff5e776794a657068762baab108342f8c91d8c8c0c893a86027c5d37a1e3940dcac8f167621581914dd4ec8c7be17592e518afe0ec88dbbc8
-
Filesize
60KB
MD5a15c556f17d7db8287e023138942d5db
SHA1880bf8ec944120830dc2e2e040e5996e4e0e6c83
SHA256f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e
SHA512930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd
-
Filesize
43KB
MD5daabecdfba287a3333b60ae82211acd7
SHA1e67b4c7bf0dd71ad47263a58bb60be4bce504b84
SHA25612981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173
SHA512937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f
-
Filesize
1KB
MD5ad82ac49c5d1eec272fbd616b6609229
SHA1e99acd004ab0dc00a57b660bdf3b08563c09d980
SHA2567079d0ddb867f967e7a4fad5cf35f4ec4f4b927805937fce5434b3346a665576
SHA512423d202f8ea334408cdaf6509efc9c5b82635212d14f29669e6bf9a050094864d75004f1c6a30bc6c4da329da9ff9861555078046bccb98d6a2cab653bb26cbe
-
Filesize
99KB
MD527e6eb1b55a52338307a416235afd401
SHA113287f7b1dacca85fa2e0b6bdbd038c6a750b9db
SHA256482535180b50b5a08635ce5a5adcb5d6f6d4e6b04144eb88a8440933de9687aa
SHA512dd9ce7b3f2936745a35c5073a043852f034246fe1e14147151abcb26ca0a6d493e520b1707f08c281c8b5d854fa3fc88cf2a53c7a5a3f2425bdba9b62bc5c847
-
Filesize
45KB
MD5d28e7a834583efeec920bd1ae59a5b05
SHA11f1fa6cc6e88a41fe0c997672430bd11ad8f956a
SHA256d047e423eca042ce0486cd4708866651ad20ddb35a93587ffe25f27bc103f07f
SHA51211fd9ed71b6fcf0e62807e8e3de9f3ea95e43d90097e7c955e5ae572abe46d00bba549aa80fc4b393fe42e7ae0bb5f874e38f7f90243b54dc33d4f039eefcced
-
Filesize
71KB
MD574e70d1c588f7201a91987b1bc794bfb
SHA1cd14847c6ef051b5699776a0e14f8ba762dc730c
SHA2565faa4a771163b2309d5763cf415906de56d17628607904fa35e574a44d7a7431
SHA5123f80e657f6bc19fdb0606c74318e629582097fdf7e2e3a726567d54b4427e4c45f3cae34f31c9446ae2daf091345465c85754e7e34b82a149d7c4195185dcc38
-
Filesize
45KB
MD52a38ddfd6bb6c8361ba759224a53f098
SHA109b429e031962cf1c5c8cb27ffa26fa13fc1abfd
SHA25649633f0489cebbcf31a6bcf3ba6897dc4d651e0bb0e32cb779afb0182e5289ec
SHA5122a4f6eda74e20be439ffaeebeeb06d3fcd768450cb3850f29c1e660108debb43b5ab1d45a5048ade95db0e0254acad5a43563c30eb725c9708b356e9a826c026
-
Filesize
99KB
MD574a17db38dfe5e982b5bfde3c99b525c
SHA1c9060e15bf7a085f9f7c8ca0f5fd6282fd0bf291
SHA25636c241cff975907723d245f7c08535a81f651cb220bec49f566dfd9cca190198
SHA5125c8465d31f73a40237cbcf1573bb15e7f7d6c7487b1b13f91945250086c02ab81f20fc2d1457cfb38ca599b73c4ab490749fe4359cd068fb4eff71b4027c310c