Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
61c7407f12837bb4ea4c2de526f7364d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
61c7407f12837bb4ea4c2de526f7364d.exe
Resource
win10v2004-20231215-en
General
-
Target
61c7407f12837bb4ea4c2de526f7364d.exe
-
Size
1.2MB
-
MD5
61c7407f12837bb4ea4c2de526f7364d
-
SHA1
59a0a43e43c9d9e814b03ef5a0126577dccb8dbd
-
SHA256
4f0d2ffbc946083e38333012faa1132ff7f2479760819a1d5a05bd80777e50fc
-
SHA512
838bf7bfa17e5125980d067724330cb73aae41ed07bc46ca107898daa7e1ecbc18b2d5d51f2de412a765068c07ccee138d37785634cf0e478ae863f18cbf4caf
-
SSDEEP
24576:oU4oT7xcVaXEc/GbylnRj9n6b26FIufDR1cXY3Vw6fASyWV5onrqMLhvV5Ncc0Wz:oULTOSnMylh96b2cIsR6YFzfANWuhruk
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\GQULCE\AAL.exe family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
61c7407f12837bb4ea4c2de526f7364d.exeAAL.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 61c7407f12837bb4ea4c2de526f7364d.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation AAL.exe -
Executes dropped EXE 1 IoCs
Processes:
AAL.exepid process 1172 AAL.exe -
Loads dropped DLL 2 IoCs
Processes:
AAL.exeNOTEPAD.EXEpid process 1172 AAL.exe 3864 NOTEPAD.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AAL.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AAL Start = "C:\\Windows\\SysWOW64\\GQULCE\\AAL.exe" AAL.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
61c7407f12837bb4ea4c2de526f7364d.exeAAL.exedescription ioc process File created C:\Windows\SysWOW64\GQULCE\AAL.exe 61c7407f12837bb4ea4c2de526f7364d.exe File opened for modification C:\Windows\SysWOW64\GQULCE\ AAL.exe File created C:\Windows\SysWOW64\GQULCE\AAL.004 61c7407f12837bb4ea4c2de526f7364d.exe File created C:\Windows\SysWOW64\GQULCE\AAL.001 61c7407f12837bb4ea4c2de526f7364d.exe File created C:\Windows\SysWOW64\GQULCE\AAL.002 61c7407f12837bb4ea4c2de526f7364d.exe File created C:\Windows\SysWOW64\GQULCE\AKV.exe 61c7407f12837bb4ea4c2de526f7364d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
61c7407f12837bb4ea4c2de526f7364d.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings 61c7407f12837bb4ea4c2de526f7364d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
AAL.exedescription pid process Token: 33 1172 AAL.exe Token: SeIncBasePriorityPrivilege 1172 AAL.exe Token: SeIncBasePriorityPrivilege 1172 AAL.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AAL.exepid process 1172 AAL.exe 1172 AAL.exe 1172 AAL.exe 1172 AAL.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
61c7407f12837bb4ea4c2de526f7364d.exeAAL.exedescription pid process target process PID 4476 wrote to memory of 1172 4476 61c7407f12837bb4ea4c2de526f7364d.exe AAL.exe PID 4476 wrote to memory of 1172 4476 61c7407f12837bb4ea4c2de526f7364d.exe AAL.exe PID 4476 wrote to memory of 1172 4476 61c7407f12837bb4ea4c2de526f7364d.exe AAL.exe PID 4476 wrote to memory of 3864 4476 61c7407f12837bb4ea4c2de526f7364d.exe NOTEPAD.EXE PID 4476 wrote to memory of 3864 4476 61c7407f12837bb4ea4c2de526f7364d.exe NOTEPAD.EXE PID 4476 wrote to memory of 3864 4476 61c7407f12837bb4ea4c2de526f7364d.exe NOTEPAD.EXE PID 1172 wrote to memory of 932 1172 AAL.exe cmd.exe PID 1172 wrote to memory of 932 1172 AAL.exe cmd.exe PID 1172 wrote to memory of 932 1172 AAL.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\GQULCE\AAL.exe"C:\Windows\system32\GQULCE\AAL.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\GQULCE\AAL.exe > nul3⤵PID:932
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt2⤵
- Loads dropped DLL
PID:3864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31B
MD5f18bcc7084002b55c9c34a8214b5a055
SHA19d95f2fd61d24840a31dfce2d9a872cf04fc9f7c
SHA256787ae0a8898f2faeafdd0cf90f3b6ae3badf87c10335e36431a21c1f59ff6027
SHA512ff13fbcb2a720c5ff5e776794a657068762baab108342f8c91d8c8c0c893a86027c5d37a1e3940dcac8f167621581914dd4ec8c7be17592e518afe0ec88dbbc8
-
Filesize
60KB
MD5a15c556f17d7db8287e023138942d5db
SHA1880bf8ec944120830dc2e2e040e5996e4e0e6c83
SHA256f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e
SHA512930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd
-
Filesize
43KB
MD5daabecdfba287a3333b60ae82211acd7
SHA1e67b4c7bf0dd71ad47263a58bb60be4bce504b84
SHA25612981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173
SHA512937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f
-
Filesize
1KB
MD5ad82ac49c5d1eec272fbd616b6609229
SHA1e99acd004ab0dc00a57b660bdf3b08563c09d980
SHA2567079d0ddb867f967e7a4fad5cf35f4ec4f4b927805937fce5434b3346a665576
SHA512423d202f8ea334408cdaf6509efc9c5b82635212d14f29669e6bf9a050094864d75004f1c6a30bc6c4da329da9ff9861555078046bccb98d6a2cab653bb26cbe
-
Filesize
1.7MB
MD5f3819a6cab8ae058254c4abb3844d87e
SHA10f8b1a74af87f1823ec0d76e21a8d54d55a53a8b
SHA2563d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9
SHA512dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57
-
Filesize
456KB
MD548cfaed4d566c34716326302b49bdad2
SHA1566e0989b6bc7ed205f9ae250ea98e3a4d7fba52
SHA25654c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea
SHA51296c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0