Analysis
-
max time kernel
125s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-01-2024 16:58
Static task
static1
Behavioral task
behavioral1
Sample
68288c29d8546aadc301eda4436def32.exe
Resource
win7-20231215-en
General
-
Target
68288c29d8546aadc301eda4436def32.exe
-
Size
2.4MB
-
MD5
68288c29d8546aadc301eda4436def32
-
SHA1
b2f25aa72549ab250213e20850aa3e5beab1928f
-
SHA256
a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
-
SHA512
d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
-
SSDEEP
49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\JHPMIJ\FQO.exe family_ardamax -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HKCMB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" HKCMB.exe -
Drops file in Drivers directory 1 IoCs
Processes:
HKCMB.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts HKCMB.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2900 attrib.exe 2856 attrib.exe -
Executes dropped EXE 5 IoCs
Processes:
Transaction mangement.exeHKCMB.exeINSTALL.EXEFQO.exemsdcsc.exepid process 2840 Transaction mangement.exe 2800 HKCMB.exe 1304 INSTALL.EXE 2528 FQO.exe 2872 msdcsc.exe -
Loads dropped DLL 19 IoCs
Processes:
68288c29d8546aadc301eda4436def32.exeTransaction mangement.exeHKCMB.exeINSTALL.EXEFQO.exeAcroRd32.exemsdcsc.exepid process 3044 68288c29d8546aadc301eda4436def32.exe 3044 68288c29d8546aadc301eda4436def32.exe 2840 Transaction mangement.exe 2840 Transaction mangement.exe 2840 Transaction mangement.exe 2840 Transaction mangement.exe 2800 HKCMB.exe 2800 HKCMB.exe 2800 HKCMB.exe 1304 INSTALL.EXE 1304 INSTALL.EXE 1304 INSTALL.EXE 2528 FQO.exe 2528 FQO.exe 2528 FQO.exe 2648 AcroRd32.exe 2800 HKCMB.exe 2872 msdcsc.exe 2872 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
HKCMB.exeFQO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" HKCMB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FQO Start = "C:\\Windows\\SysWOW64\\JHPMIJ\\FQO.exe" FQO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 9 IoCs
Processes:
HKCMB.exeINSTALL.EXEFQO.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe HKCMB.exe File created C:\Windows\SysWOW64\JHPMIJ\FQO.004 INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\FQO.001 INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\FQO.exe INSTALL.EXE File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe HKCMB.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ HKCMB.exe File created C:\Windows\SysWOW64\JHPMIJ\FQO.002 INSTALL.EXE File created C:\Windows\SysWOW64\JHPMIJ\AKV.exe INSTALL.EXE File opened for modification C:\Windows\SysWOW64\JHPMIJ\ FQO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Transaction mangement.exedescription pid process target process PID 2840 set thread context of 2800 2840 Transaction mangement.exe HKCMB.exe -
Drops file in Windows directory 4 IoCs
Processes:
Transaction mangement.exeattrib.exeattrib.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe Transaction mangement.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe Transaction mangement.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2648 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
HKCMB.exeFQO.exedescription pid process Token: SeIncreaseQuotaPrivilege 2800 HKCMB.exe Token: SeSecurityPrivilege 2800 HKCMB.exe Token: SeTakeOwnershipPrivilege 2800 HKCMB.exe Token: SeLoadDriverPrivilege 2800 HKCMB.exe Token: SeSystemProfilePrivilege 2800 HKCMB.exe Token: SeSystemtimePrivilege 2800 HKCMB.exe Token: SeProfSingleProcessPrivilege 2800 HKCMB.exe Token: SeIncBasePriorityPrivilege 2800 HKCMB.exe Token: SeCreatePagefilePrivilege 2800 HKCMB.exe Token: SeBackupPrivilege 2800 HKCMB.exe Token: SeRestorePrivilege 2800 HKCMB.exe Token: SeShutdownPrivilege 2800 HKCMB.exe Token: SeDebugPrivilege 2800 HKCMB.exe Token: SeSystemEnvironmentPrivilege 2800 HKCMB.exe Token: SeChangeNotifyPrivilege 2800 HKCMB.exe Token: SeRemoteShutdownPrivilege 2800 HKCMB.exe Token: SeUndockPrivilege 2800 HKCMB.exe Token: SeManageVolumePrivilege 2800 HKCMB.exe Token: SeImpersonatePrivilege 2800 HKCMB.exe Token: SeCreateGlobalPrivilege 2800 HKCMB.exe Token: 33 2800 HKCMB.exe Token: 34 2800 HKCMB.exe Token: 35 2800 HKCMB.exe Token: 33 2528 FQO.exe Token: SeIncBasePriorityPrivilege 2528 FQO.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeFQO.exepid process 2648 AcroRd32.exe 2648 AcroRd32.exe 2648 AcroRd32.exe 2528 FQO.exe 2528 FQO.exe 2528 FQO.exe 2528 FQO.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
68288c29d8546aadc301eda4436def32.exeTransaction mangement.exeHKCMB.execmd.execmd.exedescription pid process target process PID 3044 wrote to memory of 2840 3044 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 3044 wrote to memory of 2840 3044 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 3044 wrote to memory of 2840 3044 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 3044 wrote to memory of 2840 3044 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 3044 wrote to memory of 2840 3044 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 3044 wrote to memory of 2840 3044 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 3044 wrote to memory of 2840 3044 68288c29d8546aadc301eda4436def32.exe Transaction mangement.exe PID 3044 wrote to memory of 2648 3044 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 3044 wrote to memory of 2648 3044 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 3044 wrote to memory of 2648 3044 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 3044 wrote to memory of 2648 3044 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 3044 wrote to memory of 2648 3044 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 3044 wrote to memory of 2648 3044 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 3044 wrote to memory of 2648 3044 68288c29d8546aadc301eda4436def32.exe AcroRd32.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2840 wrote to memory of 2800 2840 Transaction mangement.exe HKCMB.exe PID 2800 wrote to memory of 2524 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2524 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2524 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2524 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2524 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2524 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2524 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2272 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2272 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2272 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2272 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2272 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2272 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 2272 2800 HKCMB.exe cmd.exe PID 2800 wrote to memory of 1304 2800 HKCMB.exe INSTALL.EXE PID 2800 wrote to memory of 1304 2800 HKCMB.exe INSTALL.EXE PID 2800 wrote to memory of 1304 2800 HKCMB.exe INSTALL.EXE PID 2800 wrote to memory of 1304 2800 HKCMB.exe INSTALL.EXE PID 2800 wrote to memory of 1304 2800 HKCMB.exe INSTALL.EXE PID 2800 wrote to memory of 1304 2800 HKCMB.exe INSTALL.EXE PID 2800 wrote to memory of 1304 2800 HKCMB.exe INSTALL.EXE PID 2272 wrote to memory of 2856 2272 cmd.exe attrib.exe PID 2272 wrote to memory of 2856 2272 cmd.exe attrib.exe PID 2272 wrote to memory of 2856 2272 cmd.exe attrib.exe PID 2272 wrote to memory of 2856 2272 cmd.exe attrib.exe PID 2272 wrote to memory of 2856 2272 cmd.exe attrib.exe PID 2272 wrote to memory of 2856 2272 cmd.exe attrib.exe PID 2272 wrote to memory of 2856 2272 cmd.exe attrib.exe PID 2524 wrote to memory of 2900 2524 cmd.exe attrib.exe PID 2524 wrote to memory of 2900 2524 cmd.exe attrib.exe PID 2524 wrote to memory of 2900 2524 cmd.exe attrib.exe PID 2524 wrote to memory of 2900 2524 cmd.exe attrib.exe PID 2524 wrote to memory of 2900 2524 cmd.exe attrib.exe PID 2524 wrote to memory of 2900 2524 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2900 attrib.exe 2856 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\JHPMIJ\FQO.exe"C:\Windows\system32\JHPMIJ\FQO.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2528 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2856 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2648
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
194KB
MD58764991d86c925a5f8bbe847cd0f3cb3
SHA119e3f30d0baabc7c457fd61fecee8d1e8ab28d0e
SHA2565e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79
SHA512f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc
-
Filesize
72B
MD5fce1348da4bb9cf3e1d986ef6497fe8c
SHA17f6b3383bd7e34ab31e82e1423a63a7776f147cf
SHA256e6ab6964d84756b18c24e05d442ca43805260d167757edd856c3203e735c0733
SHA512984cca90975f2b29dc2400532006700d765d0216b6e9c515a369548aa8835e476d963f4d95cbb3e04401c9a9ac94657bf1de3cf99dc455f67c0c2c4ec4c659be
-
Filesize
62B
MD5c6abd7a109bb37ab773b9e79b91b7741
SHA17933b8795914b27483d2afed35b3830e8bf5bdb6
SHA2568bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629
SHA51235d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc
-
Filesize
3KB
MD5a0963651a0491a4605091d5c8ac1510e
SHA1aebf0848edfc4e84e5c3e100f01aadd875051a13
SHA25614b06cbc6623e94da6c2f8a8079b3a0771b8787d8bf527fdf6cc7998e3d245de
SHA5123d467d25e31eccdfc9760b0b95e99539c39cdb5e32352e1bbe2013ac44178cccbb48131146d1deeb69268f988aeb1eb2ff73c39c59209fc214186c8275ad55bd
-
Filesize
456KB
MD551507d91d43683b9c4b8fafeb4d888f8
SHA1ead2f68338da7af4720378cd46133589fc9405ba
SHA25671b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b
SHA512a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c
-
Filesize
61KB
MD5383d5f5d4240d590e7dec3f7312a4ac7
SHA1f6bcade8d37afb80cf52a89b3e84683f4643fbce
SHA2567e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422
SHA512e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a
-
Filesize
43KB
MD593df156c4bd9d7341f4c4a4847616a69
SHA1c7663b32c3c8e247bc16b51aff87b45484652dc1
SHA256e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e
SHA512ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35
-
Filesize
1KB
MD5c419eadafd70c55f88b6235ccf3d14a0
SHA1e04856391e275bfe54fdc6dfabdfe798f80d2afb
SHA25676f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968
SHA5124b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683
-
Filesize
1.1MB
MD54766452f3b2d1952a671143d9b813585
SHA1169ba313c0ccc234e2a227a97c05976f968ad3e6
SHA256064a538b07c4722cdcec11bc6d04b8fecc44061c8d6472d9bb39d1a1848a0160
SHA5120a1e5d3841e3cadaefae31653069b8add53d096bb938b83c6a4fc9c50815ac65fcefe5e2218ee6297440ca09f52d72394a2956fe5990387408d39ca3dbfbc2c8
-
Filesize
2.2MB
MD59a540f97fb137ff20426f30e8db62dc8
SHA11cd77f98dc2797cceb083e6b949261e2ea49fe4e
SHA256d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59
SHA512467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
Filesize
1.7MB
MD53cd29c0df98a7aeb69a9692843ca3edb
SHA17c86aea093f1979d18901bd1b89a2b02a60ac3e2
SHA2565a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32
SHA512e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9