Analysis

  • max time kernel
    190s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    18-01-2024 19:41

General

  • Target

    65df3c385d174f9e211757b25925be30.exe

  • Size

    522KB

  • MD5

    65df3c385d174f9e211757b25925be30

  • SHA1

    9261218e9c7be26305f7b45831d95f152be4e54f

  • SHA256

    14a3df7dce7912f61f40a0b29ee4f82d2a9c369cd9f294916ad317a7a3c4b77b

  • SHA512

    efe3da4609793472d0bc0d96290130b9fa566c9c94bb20082bd4ed0d058ca6cab81306958f1e50329dee4327311ec04e856c29630814a19f796f73d48e8f5a58

  • SSDEEP

    12288:/deqXOJiv3MUFdFWcst1BYrySd88OqFXXaoUjCkf5Vk/I+ZzMg8h:wqXqUjdFM1aryq88OqB4Ckf5VYXFu

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe
    "C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\SysWOW64\Sys32\EXNL.exe
      "C:\Windows\system32\Sys32\EXNL.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2568
    • C:\Users\Admin\AppData\Local\Temp\telock.exe
      "C:\Users\Admin\AppData\Local\Temp\telock.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Sys32\AKV.exe

    Filesize

    389KB

    MD5

    53a578b112aeb18c5993556d4440ade1

    SHA1

    e51f2fcc784def3cc5ff594edfee5e25f1e9818c

    SHA256

    9170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156

    SHA512

    31357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352

  • C:\Windows\SysWOW64\Sys32\EXNL.001

    Filesize

    462B

    MD5

    3070f8614d6f90cf41af99751b29bd12

    SHA1

    41b71ee0b6f14a299853901c6108eabe6a02736f

    SHA256

    bd316b9c54220d6af7ebc0a42c1aea09115a369b9f841e9e83ccfe8256aa3f41

    SHA512

    379dc61aca4bad7aeb4c478a1c50f9c87aa3cd9915138235e23337614e40bac1f0d1754d4c05a48ea1388a89d341daa483a14ff435cbf64e42e05b7af1feba02

  • C:\Windows\SysWOW64\Sys32\EXNL.006

    Filesize

    7KB

    MD5

    504f5a7e8447c65bc2218bb3d47c309b

    SHA1

    5d2d703cfa8b1c0fab1b13b01e2250e246e2eb44

    SHA256

    81f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f

    SHA512

    b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b

  • C:\Windows\SysWOW64\Sys32\EXNL.007

    Filesize

    5KB

    MD5

    22e9e9b13c2c676bec39178311d55253

    SHA1

    da60379e518feeb798005065dcf626a74afe1848

    SHA256

    3a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14

    SHA512

    1d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc

  • \Users\Admin\AppData\Local\Temp\@7520.tmp

    Filesize

    3KB

    MD5

    14c3321783fac66161b308d34c5b0eac

    SHA1

    021b4f77e27d6e0b032158936a752e27cdde09fa

    SHA256

    09e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21

    SHA512

    9ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad

  • \Users\Admin\AppData\Local\Temp\telock.exe

    Filesize

    54KB

    MD5

    c4c3f834ab76c1cbc4cd318fab2373e3

    SHA1

    8cc449dfafc02317fc06a460c20ae48b8350d114

    SHA256

    5203aa4b6ad2d63fc8c7f6a05fb72b6ac75985ee8077820b47faa5a1b97c13c1

    SHA512

    ebefdeda797c67949f267fc6a158067a019689e14615329459ecee2ffc2914757850d409ceb1bdcf6a40dd6f92daa14d0f44c7bafeb902453aa9a96c7cd652bb

  • \Windows\SysWOW64\Sys32\EXNL.exe

    Filesize

    475KB

    MD5

    9c3ff825312190802dc56c7b0d0ccebd

    SHA1

    58e200c00382b3d13c81c9e829da065ed45f5928

    SHA256

    e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4

    SHA512

    513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968

  • memory/1712-38-0x0000000077D0F000-0x0000000077D10000-memory.dmp

    Filesize

    4KB

  • memory/1712-39-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2568-23-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

  • memory/2568-40-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB