Analysis
-
max time kernel
137s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 12:47
Static task
static1
Behavioral task
behavioral1
Sample
67a8d8448eb6c623a85a1955b3458757.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
67a8d8448eb6c623a85a1955b3458757.exe
Resource
win10v2004-20231215-en
General
-
Target
67a8d8448eb6c623a85a1955b3458757.exe
-
Size
1.4MB
-
MD5
67a8d8448eb6c623a85a1955b3458757
-
SHA1
ab3460b63b92d7326a399cf891280ce3ba7fa492
-
SHA256
07641c7d357377a5d16a0ef703908297c4d0dd7963fa0b7616f59f7689b47d1b
-
SHA512
5acac5b9ec3fd7c15aba067218ec7ea0c24c0d4ab0930697bd2634e83f09a141b5cde9b9702879d8270e44d56019140bbb163dcf680941387ee222ae23254d83
-
SSDEEP
24576:U0NzTDx46aE4TrzTLN5SbPUU6bjeYCey0sGSISh5Uf68EEL2G:U0pTDx4xvfLNwj9f3GS/XUf68ES2
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\RPANNB\CRO.exe family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
67a8d8448eb6c623a85a1955b3458757.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 67a8d8448eb6c623a85a1955b3458757.exe -
Executes dropped EXE 1 IoCs
Processes:
CRO.exepid process 232 CRO.exe -
Loads dropped DLL 1 IoCs
Processes:
CRO.exepid process 232 CRO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CRO.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CRO Start = "C:\\Windows\\SysWOW64\\RPANNB\\CRO.exe" CRO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
Processes:
67a8d8448eb6c623a85a1955b3458757.exeCRO.exedescription ioc process File created C:\Windows\SysWOW64\RPANNB\CRO.004 67a8d8448eb6c623a85a1955b3458757.exe File created C:\Windows\SysWOW64\RPANNB\CRO.001 67a8d8448eb6c623a85a1955b3458757.exe File created C:\Windows\SysWOW64\RPANNB\CRO.002 67a8d8448eb6c623a85a1955b3458757.exe File created C:\Windows\SysWOW64\RPANNB\AKV.exe 67a8d8448eb6c623a85a1955b3458757.exe File created C:\Windows\SysWOW64\RPANNB\CRO.exe 67a8d8448eb6c623a85a1955b3458757.exe File opened for modification C:\Windows\SysWOW64\RPANNB\ CRO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CRO.exepid process 232 CRO.exe 232 CRO.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CRO.exedescription pid process Token: 33 232 CRO.exe Token: SeIncBasePriorityPrivilege 232 CRO.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
CRO.exepid process 232 CRO.exe 232 CRO.exe 232 CRO.exe 232 CRO.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
67a8d8448eb6c623a85a1955b3458757.exedescription pid process target process PID 1572 wrote to memory of 232 1572 67a8d8448eb6c623a85a1955b3458757.exe CRO.exe PID 1572 wrote to memory of 232 1572 67a8d8448eb6c623a85a1955b3458757.exe CRO.exe PID 1572 wrote to memory of 232 1572 67a8d8448eb6c623a85a1955b3458757.exe CRO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe"C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\RPANNB\CRO.exe"C:\Windows\system32\RPANNB\CRO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
485KB
MD5b905540561802896d1609a5709c38795
SHA1a265f7c1d428ccece168d36ae1a5f50abfb69e37
SHA256ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53
SHA5127663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc
-
Filesize
61KB
MD5f354f72924cdfe4c8afcc85005803b21
SHA1817bf228f2f6fdb45bc54abb30efe96729bd65c8
SHA256d1edf8e95bc50e5fc944b07c19d643a9a3dc17e6744c718257baf8b79789e540
SHA51257e837cc6901558fe114f5cf06590dde935daf4bd16eb9bbce76967944e079b615a8da827d46ff27d0b841a1bf9701a86618090cb5b6dd5e1bac1630cdad0233
-
Filesize
43KB
MD5f195701cf2c54d6ceadad943cf5135b8
SHA19beb03fc097fc58d7375b0511b87ced98a423a08
SHA256177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec
SHA512f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025
-
Filesize
1KB
MD56e618523d4750a4f7f4c1c5fd5d7ec71
SHA1a3f6e10b4215fe7990dc7286903437c088cd1f80
SHA256297249fdf2f32fee9df93c33e8285b2165dc3989d869207662becec986b5699f
SHA5125398716e8f0184cdfa7eadfc00c16446745266ff1229664d29239074fd36fc71dd1b2e9fe956cfc19a0bde370c1fb122ff80eec5337dfeaf5faf3da2bbb821b5
-
Filesize
1.7MB
MD5d95623e481661c678a0546e02f10f24c
SHA1b6949e68a19b270873764585eb1e82448d1e0717
SHA256cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da
SHA512dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591