Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2024 04:50

General

  • Target

    61c7407f12837bb4ea4c2de526f7364d.exe

  • Size

    1.2MB

  • MD5

    61c7407f12837bb4ea4c2de526f7364d

  • SHA1

    59a0a43e43c9d9e814b03ef5a0126577dccb8dbd

  • SHA256

    4f0d2ffbc946083e38333012faa1132ff7f2479760819a1d5a05bd80777e50fc

  • SHA512

    838bf7bfa17e5125980d067724330cb73aae41ed07bc46ca107898daa7e1ecbc18b2d5d51f2de412a765068c07ccee138d37785634cf0e478ae863f18cbf4caf

  • SSDEEP

    24576:oU4oT7xcVaXEc/GbylnRj9n6b26FIufDR1cXY3Vw6fASyWV5onrqMLhvV5Ncc0Wz:oULTOSnMylh96b2cIsR6YFzfANWuhruk

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe
    "C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\SysWOW64\GQULCE\AAL.exe
      "C:\Windows\system32\GQULCE\AAL.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\GQULCE\AAL.exe > nul
        3⤵
          PID:932
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt
        2⤵
        • Loads dropped DLL
        PID:3864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt

      Filesize

      31B

      MD5

      f18bcc7084002b55c9c34a8214b5a055

      SHA1

      9d95f2fd61d24840a31dfce2d9a872cf04fc9f7c

      SHA256

      787ae0a8898f2faeafdd0cf90f3b6ae3badf87c10335e36431a21c1f59ff6027

      SHA512

      ff13fbcb2a720c5ff5e776794a657068762baab108342f8c91d8c8c0c893a86027c5d37a1e3940dcac8f167621581914dd4ec8c7be17592e518afe0ec88dbbc8

    • C:\Windows\SysWOW64\GQULCE\AAL.001

      Filesize

      60KB

      MD5

      a15c556f17d7db8287e023138942d5db

      SHA1

      880bf8ec944120830dc2e2e040e5996e4e0e6c83

      SHA256

      f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

      SHA512

      930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

    • C:\Windows\SysWOW64\GQULCE\AAL.002

      Filesize

      43KB

      MD5

      daabecdfba287a3333b60ae82211acd7

      SHA1

      e67b4c7bf0dd71ad47263a58bb60be4bce504b84

      SHA256

      12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

      SHA512

      937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

    • C:\Windows\SysWOW64\GQULCE\AAL.004

      Filesize

      1KB

      MD5

      ad82ac49c5d1eec272fbd616b6609229

      SHA1

      e99acd004ab0dc00a57b660bdf3b08563c09d980

      SHA256

      7079d0ddb867f967e7a4fad5cf35f4ec4f4b927805937fce5434b3346a665576

      SHA512

      423d202f8ea334408cdaf6509efc9c5b82635212d14f29669e6bf9a050094864d75004f1c6a30bc6c4da329da9ff9861555078046bccb98d6a2cab653bb26cbe

    • C:\Windows\SysWOW64\GQULCE\AAL.exe

      Filesize

      1.7MB

      MD5

      f3819a6cab8ae058254c4abb3844d87e

      SHA1

      0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

      SHA256

      3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

      SHA512

      dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

    • C:\Windows\SysWOW64\GQULCE\AKV.exe

      Filesize

      456KB

      MD5

      48cfaed4d566c34716326302b49bdad2

      SHA1

      566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

      SHA256

      54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

      SHA512

      96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

    • memory/1172-17-0x0000000000650000-0x0000000000651000-memory.dmp

      Filesize

      4KB

    • memory/1172-22-0x0000000000650000-0x0000000000651000-memory.dmp

      Filesize

      4KB