Analysis

  • max time kernel
    125s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2024 16:58

General

  • Target

    68288c29d8546aadc301eda4436def32.exe

  • Size

    2.4MB

  • MD5

    68288c29d8546aadc301eda4436def32

  • SHA1

    b2f25aa72549ab250213e20850aa3e5beab1928f

  • SHA256

    a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325

  • SHA512

    d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369

  • SSDEEP

    49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 19 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe
    "C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
      "C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
        3⤵
        • Modifies WinLogon for persistence
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:2900
        • C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
          "C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          PID:1304
          • C:\Windows\SysWOW64\JHPMIJ\FQO.exe
            "C:\Windows\system32\JHPMIJ\FQO.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2528
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Windows\SysWOW64\attrib.exe
            attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
            5⤵
            • Sets file to hidden
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:2856
        • C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
          "C:\Windows\system32\MSDCSC\msdcsc.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2872
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf

    Filesize

    194KB

    MD5

    8764991d86c925a5f8bbe847cd0f3cb3

    SHA1

    19e3f30d0baabc7c457fd61fecee8d1e8ab28d0e

    SHA256

    5e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79

    SHA512

    f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc

  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

    Filesize

    72B

    MD5

    fce1348da4bb9cf3e1d986ef6497fe8c

    SHA1

    7f6b3383bd7e34ab31e82e1423a63a7776f147cf

    SHA256

    e6ab6964d84756b18c24e05d442ca43805260d167757edd856c3203e735c0733

    SHA512

    984cca90975f2b29dc2400532006700d765d0216b6e9c515a369548aa8835e476d963f4d95cbb3e04401c9a9ac94657bf1de3cf99dc455f67c0c2c4ec4c659be

  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

    Filesize

    62B

    MD5

    c6abd7a109bb37ab773b9e79b91b7741

    SHA1

    7933b8795914b27483d2afed35b3830e8bf5bdb6

    SHA256

    8bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629

    SHA512

    35d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    a0963651a0491a4605091d5c8ac1510e

    SHA1

    aebf0848edfc4e84e5c3e100f01aadd875051a13

    SHA256

    14b06cbc6623e94da6c2f8a8079b3a0771b8787d8bf527fdf6cc7998e3d245de

    SHA512

    3d467d25e31eccdfc9760b0b95e99539c39cdb5e32352e1bbe2013ac44178cccbb48131146d1deeb69268f988aeb1eb2ff73c39c59209fc214186c8275ad55bd

  • C:\Windows\SysWOW64\JHPMIJ\AKV.exe

    Filesize

    456KB

    MD5

    51507d91d43683b9c4b8fafeb4d888f8

    SHA1

    ead2f68338da7af4720378cd46133589fc9405ba

    SHA256

    71b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b

    SHA512

    a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c

  • C:\Windows\SysWOW64\JHPMIJ\FQO.001

    Filesize

    61KB

    MD5

    383d5f5d4240d590e7dec3f7312a4ac7

    SHA1

    f6bcade8d37afb80cf52a89b3e84683f4643fbce

    SHA256

    7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

    SHA512

    e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

  • C:\Windows\SysWOW64\JHPMIJ\FQO.002

    Filesize

    43KB

    MD5

    93df156c4bd9d7341f4c4a4847616a69

    SHA1

    c7663b32c3c8e247bc16b51aff87b45484652dc1

    SHA256

    e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

    SHA512

    ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

  • C:\Windows\SysWOW64\JHPMIJ\FQO.004

    Filesize

    1KB

    MD5

    c419eadafd70c55f88b6235ccf3d14a0

    SHA1

    e04856391e275bfe54fdc6dfabdfe798f80d2afb

    SHA256

    76f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968

    SHA512

    4b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683

  • \Users\Admin\AppData\Local\Temp\INSTALL.EXE

    Filesize

    1.1MB

    MD5

    4766452f3b2d1952a671143d9b813585

    SHA1

    169ba313c0ccc234e2a227a97c05976f968ad3e6

    SHA256

    064a538b07c4722cdcec11bc6d04b8fecc44061c8d6472d9bb39d1a1848a0160

    SHA512

    0a1e5d3841e3cadaefae31653069b8add53d096bb938b83c6a4fc9c50815ac65fcefe5e2218ee6297440ca09f52d72394a2956fe5990387408d39ca3dbfbc2c8

  • \Users\Admin\AppData\Local\Temp\Transaction mangement.exe

    Filesize

    2.2MB

    MD5

    9a540f97fb137ff20426f30e8db62dc8

    SHA1

    1cd77f98dc2797cceb083e6b949261e2ea49fe4e

    SHA256

    d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59

    SHA512

    467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d

  • \Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe

    Filesize

    1.1MB

    MD5

    34aa912defa18c2c129f1e09d75c1d7e

    SHA1

    9c3046324657505a30ecd9b1fdb46c05bde7d470

    SHA256

    6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

    SHA512

    d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

  • \Windows\SysWOW64\JHPMIJ\FQO.exe

    Filesize

    1.7MB

    MD5

    3cd29c0df98a7aeb69a9692843ca3edb

    SHA1

    7c86aea093f1979d18901bd1b89a2b02a60ac3e2

    SHA256

    5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

    SHA512

    e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

  • memory/2800-24-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-28-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-33-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-34-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-39-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-98-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2800-31-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-27-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-26-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-25-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-22-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-23-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2800-20-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

  • memory/2840-40-0x0000000073F30000-0x00000000744DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2840-14-0x0000000073F30000-0x00000000744DB000-memory.dmp

    Filesize

    5.7MB