Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 11:29
Static task
static1
Behavioral task
behavioral1
Sample
67828d5328ffd67101fef37f4d87a438.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
67828d5328ffd67101fef37f4d87a438.exe
Resource
win10v2004-20231215-en
General
-
Target
67828d5328ffd67101fef37f4d87a438.exe
-
Size
1.3MB
-
MD5
67828d5328ffd67101fef37f4d87a438
-
SHA1
787730bbe152a3b8b4ce266399b860c9a9fa4d88
-
SHA256
e55d71db4bff8fc80937747b48a0458bb3658b20be8b2a714a29d131bc5e3b4f
-
SHA512
f8df6a02c52fcc17fd8974a42829f04536259f5ed25fc86999a0e21ce92e5fae017a5a01e707e66c0717555c4ea75b9efe1135ecb845810a1a32472e4a2e772c
-
SSDEEP
24576:Xk/ATiAmrLvqsPpSQaoCRM5SdoM6ELZmqq4UJ2tbNwsX4B1ogtm3/kaQL:0oT5mrXPpSQaoiMq63qqwNli1ogtY/
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule \Windows\JEVKYI\QST.exe family_ardamax -
Executes dropped EXE 1 IoCs
Processes:
QST.exepid process 2404 QST.exe -
Loads dropped DLL 3 IoCs
Processes:
67828d5328ffd67101fef37f4d87a438.exeQST.exepid process 1536 67828d5328ffd67101fef37f4d87a438.exe 2404 QST.exe 1536 67828d5328ffd67101fef37f4d87a438.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
QST.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QST Start = "C:\\Windows\\JEVKYI\\QST.exe" QST.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 7 IoCs
Processes:
67828d5328ffd67101fef37f4d87a438.exeQST.exedescription ioc process File created C:\Windows\JEVKYI\AKV.exe 67828d5328ffd67101fef37f4d87a438.exe File created C:\Windows\JEVKYI\QST.003 67828d5328ffd67101fef37f4d87a438.exe File created C:\Windows\JEVKYI\QST.exe 67828d5328ffd67101fef37f4d87a438.exe File opened for modification C:\Windows\JEVKYI\ QST.exe File created C:\Windows\JEVKYI\QST.004 67828d5328ffd67101fef37f4d87a438.exe File created C:\Windows\JEVKYI\QST.001 67828d5328ffd67101fef37f4d87a438.exe File created C:\Windows\JEVKYI\QST.002 67828d5328ffd67101fef37f4d87a438.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 3056 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
QST.exe7zFM.exedescription pid process Token: 33 2404 QST.exe Token: SeIncBasePriorityPrivilege 2404 QST.exe Token: SeRestorePrivilege 3056 7zFM.exe Token: 35 3056 7zFM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zFM.exepid process 3056 7zFM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
QST.exepid process 2404 QST.exe 2404 QST.exe 2404 QST.exe 2404 QST.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
67828d5328ffd67101fef37f4d87a438.exedescription pid process target process PID 1536 wrote to memory of 2404 1536 67828d5328ffd67101fef37f4d87a438.exe QST.exe PID 1536 wrote to memory of 2404 1536 67828d5328ffd67101fef37f4d87a438.exe QST.exe PID 1536 wrote to memory of 2404 1536 67828d5328ffd67101fef37f4d87a438.exe QST.exe PID 1536 wrote to memory of 2404 1536 67828d5328ffd67101fef37f4d87a438.exe QST.exe PID 1536 wrote to memory of 3056 1536 67828d5328ffd67101fef37f4d87a438.exe 7zFM.exe PID 1536 wrote to memory of 3056 1536 67828d5328ffd67101fef37f4d87a438.exe 7zFM.exe PID 1536 wrote to memory of 3056 1536 67828d5328ffd67101fef37f4d87a438.exe 7zFM.exe PID 1536 wrote to memory of 3056 1536 67828d5328ffd67101fef37f4d87a438.exe 7zFM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\JEVKYI\QST.exe"C:\Windows\JEVKYI\QST.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2404 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\White-hatV.10Wallhack.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD5268ef2330ab151d5fb3c2eb04e104a28
SHA19f162ef41454ae8906502aac2977b9284c0085b5
SHA2564cbf6bcad6af03882117708d1ef1ba223ba3e561695aeae31de7d9691e28f1ba
SHA51294dceb1ba51df699e9c89d701d6c1ac8aedf4c714dee6b23d29b3e976d75b067b9dc1e18d071a2f0b7760e99c089002c1578571e588b52b1d1663c5683c04cad
-
Filesize
463KB
MD5eb916da4abe4ff314662089013c8f832
SHA11e7e611cc6922a2851bcf135806ab51cdb499efa
SHA25696af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061
SHA512d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b
-
Filesize
61KB
MD5425ff37c76030ca0eb60321eedd4afdd
SHA17dde5e9ce5c4057d3db149f323fa43ed29d90e09
SHA25670b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24
SHA512ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b
-
Filesize
43KB
MD512fb4f589942682a478b7c7881dfcba2
SHA1a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA2564de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd
-
Filesize
68KB
MD5f47e8f65618e1b1f7e1720713f5a8c4c
SHA1abad8e9e13b1e41f2af86e3c16526c6f2d05d952
SHA256f170be2582c82ea131e1f688eea6e1cd17d14e6a9bb805b6aed2791e625a74d8
SHA512635d617dbd15d00e2f7470857531b9820439a8816f2c74b3d83156599537ff42e26ea7d769863f2768eb2770ba9c47b1a10eb3e2677fe92b9eda6ae51da18dcb
-
Filesize
1KB
MD58ebb21a9b2a6004661b2842a01fc1dbe
SHA11b422d7715ce3819d35bcda5f9c7cd62059c8a00
SHA2567bcf2bef8434be143c6ee76039f14f4e30be73843fda6b40a549552974bfb639
SHA5127589d6bdddcd24d03ebc3dba01e759b51ac9e9bb93d22d87152b3950a7650f2b6d83631e79f7b8f417b5ee4574dd558e93d83ac26be994430a1e2447b5beb1cb
-
Filesize
1.5MB
MD5f8530f0dfe90c7c1e20239b0a7643041
SHA13e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA5125cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399