Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2024 11:29

General

  • Target

    67828d5328ffd67101fef37f4d87a438.exe

  • Size

    1.3MB

  • MD5

    67828d5328ffd67101fef37f4d87a438

  • SHA1

    787730bbe152a3b8b4ce266399b860c9a9fa4d88

  • SHA256

    e55d71db4bff8fc80937747b48a0458bb3658b20be8b2a714a29d131bc5e3b4f

  • SHA512

    f8df6a02c52fcc17fd8974a42829f04536259f5ed25fc86999a0e21ce92e5fae017a5a01e707e66c0717555c4ea75b9efe1135ecb845810a1a32472e4a2e772c

  • SSDEEP

    24576:Xk/ATiAmrLvqsPpSQaoCRM5SdoM6ELZmqq4UJ2tbNwsX4B1ogtm3/kaQL:0oT5mrXPpSQaoiMq63qqwNli1ogtY/

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe
    "C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\JEVKYI\QST.exe
      "C:\Windows\JEVKYI\QST.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2404
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\White-hatV.10Wallhack.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\White-hatV.10Wallhack.rar

    Filesize

    133KB

    MD5

    268ef2330ab151d5fb3c2eb04e104a28

    SHA1

    9f162ef41454ae8906502aac2977b9284c0085b5

    SHA256

    4cbf6bcad6af03882117708d1ef1ba223ba3e561695aeae31de7d9691e28f1ba

    SHA512

    94dceb1ba51df699e9c89d701d6c1ac8aedf4c714dee6b23d29b3e976d75b067b9dc1e18d071a2f0b7760e99c089002c1578571e588b52b1d1663c5683c04cad

  • C:\Windows\JEVKYI\AKV.exe

    Filesize

    463KB

    MD5

    eb916da4abe4ff314662089013c8f832

    SHA1

    1e7e611cc6922a2851bcf135806ab51cdb499efa

    SHA256

    96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061

    SHA512

    d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

  • C:\Windows\JEVKYI\QST.001

    Filesize

    61KB

    MD5

    425ff37c76030ca0eb60321eedd4afdd

    SHA1

    7dde5e9ce5c4057d3db149f323fa43ed29d90e09

    SHA256

    70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24

    SHA512

    ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

  • C:\Windows\JEVKYI\QST.002

    Filesize

    43KB

    MD5

    12fb4f589942682a478b7c7881dfcba2

    SHA1

    a3d490c6cda965708a1ff6a0dc4e88037e0d6336

    SHA256

    4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d

    SHA512

    dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

  • C:\Windows\JEVKYI\QST.003

    Filesize

    68KB

    MD5

    f47e8f65618e1b1f7e1720713f5a8c4c

    SHA1

    abad8e9e13b1e41f2af86e3c16526c6f2d05d952

    SHA256

    f170be2582c82ea131e1f688eea6e1cd17d14e6a9bb805b6aed2791e625a74d8

    SHA512

    635d617dbd15d00e2f7470857531b9820439a8816f2c74b3d83156599537ff42e26ea7d769863f2768eb2770ba9c47b1a10eb3e2677fe92b9eda6ae51da18dcb

  • C:\Windows\JEVKYI\QST.004

    Filesize

    1KB

    MD5

    8ebb21a9b2a6004661b2842a01fc1dbe

    SHA1

    1b422d7715ce3819d35bcda5f9c7cd62059c8a00

    SHA256

    7bcf2bef8434be143c6ee76039f14f4e30be73843fda6b40a549552974bfb639

    SHA512

    7589d6bdddcd24d03ebc3dba01e759b51ac9e9bb93d22d87152b3950a7650f2b6d83631e79f7b8f417b5ee4574dd558e93d83ac26be994430a1e2447b5beb1cb

  • \Windows\JEVKYI\QST.exe

    Filesize

    1.5MB

    MD5

    f8530f0dfe90c7c1e20239b0a7643041

    SHA1

    3e0208ab84b8444a69c8d62ad0b81c4186395802

    SHA256

    734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4

    SHA512

    5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

  • memory/2404-18-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2404-22-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB