Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18-01-2024 19:41
Static task
static1
Behavioral task
behavioral1
Sample
65df3c385d174f9e211757b25925be30.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
65df3c385d174f9e211757b25925be30.exe
Resource
win10v2004-20231222-en
General
-
Target
65df3c385d174f9e211757b25925be30.exe
-
Size
522KB
-
MD5
65df3c385d174f9e211757b25925be30
-
SHA1
9261218e9c7be26305f7b45831d95f152be4e54f
-
SHA256
14a3df7dce7912f61f40a0b29ee4f82d2a9c369cd9f294916ad317a7a3c4b77b
-
SHA512
efe3da4609793472d0bc0d96290130b9fa566c9c94bb20082bd4ed0d058ca6cab81306958f1e50329dee4327311ec04e856c29630814a19f796f73d48e8f5a58
-
SSDEEP
12288:/deqXOJiv3MUFdFWcst1BYrySd88OqFXXaoUjCkf5Vk/I+ZzMg8h:wqXqUjdFM1aryq88OqB4Ckf5VYXFu
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\Sys32\EXNL.exe family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
65df3c385d174f9e211757b25925be30.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 65df3c385d174f9e211757b25925be30.exe -
Executes dropped EXE 2 IoCs
Processes:
EXNL.exetelock.exepid process 448 EXNL.exe 1876 telock.exe -
Loads dropped DLL 7 IoCs
Processes:
65df3c385d174f9e211757b25925be30.exeEXNL.exetelock.exepid process 4808 65df3c385d174f9e211757b25925be30.exe 448 EXNL.exe 448 EXNL.exe 448 EXNL.exe 1876 telock.exe 1876 telock.exe 1876 telock.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
EXNL.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EXNL Agent = "C:\\Windows\\SysWOW64\\Sys32\\EXNL.exe" EXNL.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 8 IoCs
Processes:
65df3c385d174f9e211757b25925be30.exeEXNL.exedescription ioc process File created C:\Windows\SysWOW64\Sys32\EXNL.006 65df3c385d174f9e211757b25925be30.exe File created C:\Windows\SysWOW64\Sys32\EXNL.007 65df3c385d174f9e211757b25925be30.exe File created C:\Windows\SysWOW64\Sys32\EXNL.exe 65df3c385d174f9e211757b25925be30.exe File created C:\Windows\SysWOW64\Sys32\AKV.exe 65df3c385d174f9e211757b25925be30.exe File opened for modification C:\Windows\SysWOW64\Sys32 EXNL.exe File created C:\Windows\SysWOW64\Sys32\EXNL.009 EXNL.exe File opened for modification C:\Windows\SysWOW64\Sys32\EXNL.009 EXNL.exe File created C:\Windows\SysWOW64\Sys32\EXNL.001 65df3c385d174f9e211757b25925be30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXNL.exedescription pid process Token: 33 448 EXNL.exe Token: SeIncBasePriorityPrivilege 448 EXNL.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXNL.exepid process 448 EXNL.exe 448 EXNL.exe 448 EXNL.exe 448 EXNL.exe 448 EXNL.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
65df3c385d174f9e211757b25925be30.exedescription pid process target process PID 4808 wrote to memory of 448 4808 65df3c385d174f9e211757b25925be30.exe EXNL.exe PID 4808 wrote to memory of 448 4808 65df3c385d174f9e211757b25925be30.exe EXNL.exe PID 4808 wrote to memory of 448 4808 65df3c385d174f9e211757b25925be30.exe EXNL.exe PID 4808 wrote to memory of 1876 4808 65df3c385d174f9e211757b25925be30.exe telock.exe PID 4808 wrote to memory of 1876 4808 65df3c385d174f9e211757b25925be30.exe telock.exe PID 4808 wrote to memory of 1876 4808 65df3c385d174f9e211757b25925be30.exe telock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe"C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Sys32\EXNL.exe"C:\Windows\system32\Sys32\EXNL.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:448 -
C:\Users\Admin\AppData\Local\Temp\telock.exe"C:\Users\Admin\AppData\Local\Temp\telock.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD514c3321783fac66161b308d34c5b0eac
SHA1021b4f77e27d6e0b032158936a752e27cdde09fa
SHA25609e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21
SHA5129ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad
-
Filesize
54KB
MD5c4c3f834ab76c1cbc4cd318fab2373e3
SHA18cc449dfafc02317fc06a460c20ae48b8350d114
SHA2565203aa4b6ad2d63fc8c7f6a05fb72b6ac75985ee8077820b47faa5a1b97c13c1
SHA512ebefdeda797c67949f267fc6a158067a019689e14615329459ecee2ffc2914757850d409ceb1bdcf6a40dd6f92daa14d0f44c7bafeb902453aa9a96c7cd652bb
-
Filesize
389KB
MD553a578b112aeb18c5993556d4440ade1
SHA1e51f2fcc784def3cc5ff594edfee5e25f1e9818c
SHA2569170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156
SHA51231357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352
-
Filesize
462B
MD53070f8614d6f90cf41af99751b29bd12
SHA141b71ee0b6f14a299853901c6108eabe6a02736f
SHA256bd316b9c54220d6af7ebc0a42c1aea09115a369b9f841e9e83ccfe8256aa3f41
SHA512379dc61aca4bad7aeb4c478a1c50f9c87aa3cd9915138235e23337614e40bac1f0d1754d4c05a48ea1388a89d341daa483a14ff435cbf64e42e05b7af1feba02
-
Filesize
7KB
MD5504f5a7e8447c65bc2218bb3d47c309b
SHA15d2d703cfa8b1c0fab1b13b01e2250e246e2eb44
SHA25681f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f
SHA512b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b
-
Filesize
5KB
MD522e9e9b13c2c676bec39178311d55253
SHA1da60379e518feeb798005065dcf626a74afe1848
SHA2563a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14
SHA5121d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc
-
Filesize
475KB
MD59c3ff825312190802dc56c7b0d0ccebd
SHA158e200c00382b3d13c81c9e829da065ed45f5928
SHA256e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4
SHA512513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968