Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 06:36
Static task
static1
Behavioral task
behavioral1
Sample
6ef9b0bb0b132bd677d8cabb3af3c2a1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6ef9b0bb0b132bd677d8cabb3af3c2a1.exe
Resource
win10v2004-20231215-en
General
-
Target
6ef9b0bb0b132bd677d8cabb3af3c2a1.exe
-
Size
988KB
-
MD5
6ef9b0bb0b132bd677d8cabb3af3c2a1
-
SHA1
c460d54610c2f00e3971ef7bf34ce17332a9335b
-
SHA256
78e726ddb24d16ad305dc68f98acb0e8c126aee5f609e69489e87220d9ba1de2
-
SHA512
bfad2d1ce1fb4df10e1bc146d795ac0931400a04f4e88c44c9df6010efdf08140544266d8ec13fb9dcc2c2fa7ed271a60aa2bc76851bc2c06989d429525afbc4
-
SSDEEP
12288:wHbcZBbTpkZ0IqyORcXd7nH/rMlDpB1B+sez4SXbcgo51huqnLt5w+GnLBwp+0Bu:rZxT/yORedjQlDpTMIXGLup+v0e2Ckk
Malware Config
Signatures
-
Ardamax main executable 2 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\RDPNCY\RVG.exe family_ardamax C:\Windows\SysWOW64\RDPNCY\RVG.exe family_ardamax -
Executes dropped EXE 2 IoCs
Processes:
RVG.execreador adarve.exepid process 2520 RVG.exe 2708 creador adarve.exe -
Loads dropped DLL 4 IoCs
Processes:
6ef9b0bb0b132bd677d8cabb3af3c2a1.exeRVG.exepid process 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe 2520 RVG.exe 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RVG.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RVG Start = "C:\\Windows\\SysWOW64\\RDPNCY\\RVG.exe" RVG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
6ef9b0bb0b132bd677d8cabb3af3c2a1.exeRVG.exedescription ioc process File created C:\Windows\SysWOW64\RDPNCY\RVG.001 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe File created C:\Windows\SysWOW64\RDPNCY\RVG.002 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe File created C:\Windows\SysWOW64\RDPNCY\RVG.exe 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe File opened for modification C:\Windows\SysWOW64\RDPNCY\ RVG.exe File created C:\Windows\SysWOW64\RDPNCY\RVG.004 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dw20.exepid process 2988 dw20.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RVG.exedescription pid process Token: 33 2520 RVG.exe Token: SeIncBasePriorityPrivilege 2520 RVG.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
RVG.exepid process 2520 RVG.exe 2520 RVG.exe 2520 RVG.exe 2520 RVG.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6ef9b0bb0b132bd677d8cabb3af3c2a1.execreador adarve.exedescription pid process target process PID 2896 wrote to memory of 2520 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe RVG.exe PID 2896 wrote to memory of 2520 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe RVG.exe PID 2896 wrote to memory of 2520 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe RVG.exe PID 2896 wrote to memory of 2520 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe RVG.exe PID 2896 wrote to memory of 2708 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe creador adarve.exe PID 2896 wrote to memory of 2708 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe creador adarve.exe PID 2896 wrote to memory of 2708 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe creador adarve.exe PID 2896 wrote to memory of 2708 2896 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe creador adarve.exe PID 2708 wrote to memory of 2988 2708 creador adarve.exe dw20.exe PID 2708 wrote to memory of 2988 2708 creador adarve.exe dw20.exe PID 2708 wrote to memory of 2988 2708 creador adarve.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ef9b0bb0b132bd677d8cabb3af3c2a1.exe"C:\Users\Admin\AppData\Local\Temp\6ef9b0bb0b132bd677d8cabb3af3c2a1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\RDPNCY\RVG.exe"C:\Windows\system32\RDPNCY\RVG.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\creador adarve.exe"C:\Users\Admin\AppData\Local\Temp\creador adarve.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 4963⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5e913ba237c90f9d0b378e826fe93807b
SHA187094ae3fb5341ea3f0e900115f55958664227ab
SHA2568d79af37763ff0f6a8f46dbcd5ce2666246c5d02a819d7b6366ea23d03960238
SHA512d5a9a49e302f5332238ef039c846d1b46baa551400dd88188294dca61ffb16624cc69cfba97b25e1b3a41b9bd9dc97c1564c81aff90bf4ba218b6300f916cc4d
-
Filesize
2KB
MD53b0fa287b532c380c12a2292af7d08fc
SHA138e76805d9fc3beee43cbbac55c1b88043d9b505
SHA25646d5fe242d84aaf09222c3a2b1896cacbea538312fa0b5de3ab1860ba3d7155a
SHA512880d14c510ba9d8adc2f1bd96aa471f4b0c89fd4ce621152b50a0d0cfad111059bd2a4c9f1c4769cf96b599e8d2d4c79998685a7b7b165c8901d93237e55a1d7
-
Filesize
43KB
MD5093e599a1281e943ce1592f61d9591af
SHA16896810fe9b7efe4f5ae68bf280fec637e97adf5
SHA2561ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009
SHA51264cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc
-
Filesize
1KB
MD55235b2a320917546d361fec9f4d00de4
SHA13e1ec15b81dd2baba12bc19e7eac8319bfa5370d
SHA25674c4591134f4bd771e2bbde7e31c48f780909fd7e76389949b4388127bd79535
SHA512bfc91323bc9015121f9a5c73647288e84e68d0e97bd3f2ebf87a412ca277e3e7ff48f9602673db1ccd5481a7448f999c9b8c52a6a833a5f604a52e0f2304001d
-
Filesize
1.5MB
MD50aaffc12ef1b416b9276bdc3fdec9dff
SHA19f38d7cf6241d867da58f89db9ff26544314b938
SHA25642b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b
SHA512bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c
-
Filesize
61KB
MD531c866d8e4448c28ae63660a0521cd92
SHA10e4dcb44e3c8589688b8eacdd8cc463a920baab9
SHA256dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1
SHA5121076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839
-
Filesize
1.1MB
MD551d04d2fd0eb43ae1776d566bd6c5fff
SHA152d98a6c77a4d521f48bf0d874deb6cb0c647447
SHA2566b6e193d419a02a8482c49f2a6fb5520e1a1e10c17a259b45069a02eb0e1fb47
SHA512c26d5116274e7b0094586123816b5c3c75e583e424e7cba8aabd4867d7947073f0608948cf83cb44f3994d6eb3b2c21954a9a20e85d60f6787b41b8d3a8e870c