Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18-01-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
641cd74ae74576b277820fea5bdb9aec.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
641cd74ae74576b277820fea5bdb9aec.exe
Resource
win10v2004-20231215-en
General
-
Target
641cd74ae74576b277820fea5bdb9aec.exe
-
Size
1.2MB
-
MD5
641cd74ae74576b277820fea5bdb9aec
-
SHA1
e78a0b0310d7a4bf7fb550ccf436ec9bf9b1c0a1
-
SHA256
aeae5d2ac39cc5f21e360b31a9185f9633321d13a57c3da8768db40be55855ea
-
SHA512
ec99f2e7800bbdd779303bf94eb4f3a9976484e7ebac6ebe91b78859d4f0951e7d5e99af5e354ce5fb41325272e064f8bc2161c7e267dfd8a4bf4607d720b5b1
-
SSDEEP
24576:7uNOTWMB/bNvL6Cj64QdGyW+ztvRa/y7GenwMvkb02r8rON0gn8k8NTV5nj:7ucTWqLFr9AtJqnenwMk02r8rON94
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\EXKMTO\SNC.exe family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
641cd74ae74576b277820fea5bdb9aec.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 641cd74ae74576b277820fea5bdb9aec.exe -
Executes dropped EXE 1 IoCs
Processes:
SNC.exepid process 2056 SNC.exe -
Loads dropped DLL 1 IoCs
Processes:
SNC.exepid process 2056 SNC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SNC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SNC Start = "C:\\Windows\\SysWOW64\\EXKMTO\\SNC.exe" SNC.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
641cd74ae74576b277820fea5bdb9aec.exeSNC.exedescription ioc process File created C:\Windows\SysWOW64\EXKMTO\SNC.exe 641cd74ae74576b277820fea5bdb9aec.exe File opened for modification C:\Windows\SysWOW64\EXKMTO\ SNC.exe File created C:\Windows\SysWOW64\EXKMTO\SNC.004 641cd74ae74576b277820fea5bdb9aec.exe File created C:\Windows\SysWOW64\EXKMTO\SNC.001 641cd74ae74576b277820fea5bdb9aec.exe File created C:\Windows\SysWOW64\EXKMTO\SNC.002 641cd74ae74576b277820fea5bdb9aec.exe File created C:\Windows\SysWOW64\EXKMTO\AKV.exe 641cd74ae74576b277820fea5bdb9aec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SNC.exepid process 2056 SNC.exe 2056 SNC.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SNC.exedescription pid process Token: 33 2056 SNC.exe Token: SeIncBasePriorityPrivilege 2056 SNC.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
SNC.exepid process 2056 SNC.exe 2056 SNC.exe 2056 SNC.exe 2056 SNC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
641cd74ae74576b277820fea5bdb9aec.exedescription pid process target process PID 3820 wrote to memory of 2056 3820 641cd74ae74576b277820fea5bdb9aec.exe SNC.exe PID 3820 wrote to memory of 2056 3820 641cd74ae74576b277820fea5bdb9aec.exe SNC.exe PID 3820 wrote to memory of 2056 3820 641cd74ae74576b277820fea5bdb9aec.exe SNC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\641cd74ae74576b277820fea5bdb9aec.exe"C:\Users\Admin\AppData\Local\Temp\641cd74ae74576b277820fea5bdb9aec.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\EXKMTO\SNC.exe"C:\Windows\system32\EXKMTO\SNC.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
487KB
MD5eb9f503f6859a5161bcb9aeac042ceab
SHA1d46039f98020e296bbd6455c834c6299528c821b
SHA25651fc5b6f1711fd6b4b5945d935d37f57609eafa68d865c1ec1464b0ab221830c
SHA512fa034d6292e0c16bb4958f1efe2b51577db99df6ccdb2223ba3fee4bab1796a5d4fa37667c077296da22e4c67d39ae0667a428f774aa2d5d3c7750a28320d33d
-
Filesize
61KB
MD52666d675f8905ce58b7e961ffbfe8f61
SHA1afa6625a916d27da14a591feba03352b2afb91cc
SHA2561594c6986d0e4339825e2c812791c54c912d8358a76b6058da0bf6bba5f5c697
SHA51281193afcb9406ea906db628ae434f576b6e4e2959674902cf8c2b11f5c7007b384a8e0385a6889637506f289d4849dd8dcb32dee9302363834333ef7813a2778
-
Filesize
44KB
MD552f41f282445a7a75238c2bf31ff7b7d
SHA15b5c5eb4066e2c583137dff7e1333b89640514a7
SHA2563a9e12f314bf9b5f043f3f05556b244a7ba244d3625f8adbd9cb59e9385ac4f3
SHA512bc6e2959be659a86a2de4bb1dbae8171a6b02e39fd98e948c1c40e96e101e73af274e6ceb590fd5aa5e5cb558e8e80fb79aac0162cdc2266ab1b173bda419107
-
Filesize
1KB
MD567986c892cf3630e19b1199e7b5ade6b
SHA17ad1fc8f4487fcfc36fb520a39ae34e32e93e8b0
SHA256711945de361a344b5baa0db6bec8bfe9653a134b7ad48dc9577d073bf622f9cc
SHA512968652acadc8ab2f6c1edff06375fe763b6347dd9d6846803713d61a4a2b8709699e79360bc6af317448c6faa9acbc01ee5fdf08e52c8e4d00e141312a532a52
-
Filesize
1.7MB
MD568c19411dc10799efff9cfdb1dfa6ea3
SHA1b337a16ee1a383ff4406fdaf65816f67174a6ec6
SHA256a8565859541d680f0d8c74acdc0e0fee438de817785f4f596e470bdbefca0855
SHA51216a2d576df4a24fa7f973e8e588f8cc79281d03343510344e6ef4ff8e3903e3a7751f38ef4f1c9fa2f8bdfaf3181b4fecae6905833df861c98e5b7b993a429d3