Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    17-01-2024 04:50

General

  • Target

    61c7407f12837bb4ea4c2de526f7364d.exe

  • Size

    1.2MB

  • MD5

    61c7407f12837bb4ea4c2de526f7364d

  • SHA1

    59a0a43e43c9d9e814b03ef5a0126577dccb8dbd

  • SHA256

    4f0d2ffbc946083e38333012faa1132ff7f2479760819a1d5a05bd80777e50fc

  • SHA512

    838bf7bfa17e5125980d067724330cb73aae41ed07bc46ca107898daa7e1ecbc18b2d5d51f2de412a765068c07ccee138d37785634cf0e478ae863f18cbf4caf

  • SSDEEP

    24576:oU4oT7xcVaXEc/GbylnRj9n6b26FIufDR1cXY3Vw6fASyWV5onrqMLhvV5Ncc0Wz:oULTOSnMylh96b2cIsR6YFzfANWuhruk

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe
    "C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\GQULCE\AAL.exe
      "C:\Windows\system32\GQULCE\AAL.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\GQULCE\AAL.exe > nul
        3⤵
          PID:2332
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt
        2⤵
        • Loads dropped DLL
        PID:2780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt

      Filesize

      31B

      MD5

      f18bcc7084002b55c9c34a8214b5a055

      SHA1

      9d95f2fd61d24840a31dfce2d9a872cf04fc9f7c

      SHA256

      787ae0a8898f2faeafdd0cf90f3b6ae3badf87c10335e36431a21c1f59ff6027

      SHA512

      ff13fbcb2a720c5ff5e776794a657068762baab108342f8c91d8c8c0c893a86027c5d37a1e3940dcac8f167621581914dd4ec8c7be17592e518afe0ec88dbbc8

    • C:\Windows\SysWOW64\GQULCE\AAL.001

      Filesize

      60KB

      MD5

      a15c556f17d7db8287e023138942d5db

      SHA1

      880bf8ec944120830dc2e2e040e5996e4e0e6c83

      SHA256

      f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

      SHA512

      930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

    • C:\Windows\SysWOW64\GQULCE\AAL.002

      Filesize

      43KB

      MD5

      daabecdfba287a3333b60ae82211acd7

      SHA1

      e67b4c7bf0dd71ad47263a58bb60be4bce504b84

      SHA256

      12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

      SHA512

      937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

    • C:\Windows\SysWOW64\GQULCE\AAL.004

      Filesize

      1KB

      MD5

      ad82ac49c5d1eec272fbd616b6609229

      SHA1

      e99acd004ab0dc00a57b660bdf3b08563c09d980

      SHA256

      7079d0ddb867f967e7a4fad5cf35f4ec4f4b927805937fce5434b3346a665576

      SHA512

      423d202f8ea334408cdaf6509efc9c5b82635212d14f29669e6bf9a050094864d75004f1c6a30bc6c4da329da9ff9861555078046bccb98d6a2cab653bb26cbe

    • C:\Windows\SysWOW64\GQULCE\AAL.exe

      Filesize

      99KB

      MD5

      27e6eb1b55a52338307a416235afd401

      SHA1

      13287f7b1dacca85fa2e0b6bdbd038c6a750b9db

      SHA256

      482535180b50b5a08635ce5a5adcb5d6f6d4e6b04144eb88a8440933de9687aa

      SHA512

      dd9ce7b3f2936745a35c5073a043852f034246fe1e14147151abcb26ca0a6d493e520b1707f08c281c8b5d854fa3fc88cf2a53c7a5a3f2425bdba9b62bc5c847

    • C:\Windows\SysWOW64\GQULCE\AAL.exe

      Filesize

      45KB

      MD5

      d28e7a834583efeec920bd1ae59a5b05

      SHA1

      1f1fa6cc6e88a41fe0c997672430bd11ad8f956a

      SHA256

      d047e423eca042ce0486cd4708866651ad20ddb35a93587ffe25f27bc103f07f

      SHA512

      11fd9ed71b6fcf0e62807e8e3de9f3ea95e43d90097e7c955e5ae572abe46d00bba549aa80fc4b393fe42e7ae0bb5f874e38f7f90243b54dc33d4f039eefcced

    • C:\Windows\SysWOW64\GQULCE\AKV.exe

      Filesize

      71KB

      MD5

      74e70d1c588f7201a91987b1bc794bfb

      SHA1

      cd14847c6ef051b5699776a0e14f8ba762dc730c

      SHA256

      5faa4a771163b2309d5763cf415906de56d17628607904fa35e574a44d7a7431

      SHA512

      3f80e657f6bc19fdb0606c74318e629582097fdf7e2e3a726567d54b4427e4c45f3cae34f31c9446ae2daf091345465c85754e7e34b82a149d7c4195185dcc38

    • \Windows\SysWOW64\GQULCE\AAL.001

      Filesize

      45KB

      MD5

      2a38ddfd6bb6c8361ba759224a53f098

      SHA1

      09b429e031962cf1c5c8cb27ffa26fa13fc1abfd

      SHA256

      49633f0489cebbcf31a6bcf3ba6897dc4d651e0bb0e32cb779afb0182e5289ec

      SHA512

      2a4f6eda74e20be439ffaeebeeb06d3fcd768450cb3850f29c1e660108debb43b5ab1d45a5048ade95db0e0254acad5a43563c30eb725c9708b356e9a826c026

    • \Windows\SysWOW64\GQULCE\AAL.exe

      Filesize

      99KB

      MD5

      74a17db38dfe5e982b5bfde3c99b525c

      SHA1

      c9060e15bf7a085f9f7c8ca0f5fd6282fd0bf291

      SHA256

      36c241cff975907723d245f7c08535a81f651cb220bec49f566dfd9cca190198

      SHA512

      5c8465d31f73a40237cbcf1573bb15e7f7d6c7487b1b13f91945250086c02ab81f20fc2d1457cfb38ca599b73c4ab490749fe4359cd068fb4eff71b4027c310c

    • memory/2300-16-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/2300-21-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB