Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2024 06:36
Static task
static1
Behavioral task
behavioral1
Sample
6ef9b0bb0b132bd677d8cabb3af3c2a1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6ef9b0bb0b132bd677d8cabb3af3c2a1.exe
Resource
win10v2004-20231215-en
General
-
Target
6ef9b0bb0b132bd677d8cabb3af3c2a1.exe
-
Size
988KB
-
MD5
6ef9b0bb0b132bd677d8cabb3af3c2a1
-
SHA1
c460d54610c2f00e3971ef7bf34ce17332a9335b
-
SHA256
78e726ddb24d16ad305dc68f98acb0e8c126aee5f609e69489e87220d9ba1de2
-
SHA512
bfad2d1ce1fb4df10e1bc146d795ac0931400a04f4e88c44c9df6010efdf08140544266d8ec13fb9dcc2c2fa7ed271a60aa2bc76851bc2c06989d429525afbc4
-
SSDEEP
12288:wHbcZBbTpkZ0IqyORcXd7nH/rMlDpB1B+sez4SXbcgo51huqnLt5w+GnLBwp+0Bu:rZxT/yORedjQlDpTMIXGLup+v0e2Ckk
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\RDPNCY\RVG.exe family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6ef9b0bb0b132bd677d8cabb3af3c2a1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe -
Executes dropped EXE 2 IoCs
Processes:
RVG.execreador adarve.exepid process 4428 RVG.exe 3420 creador adarve.exe -
Loads dropped DLL 1 IoCs
Processes:
RVG.exepid process 4428 RVG.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RVG.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RVG Start = "C:\\Windows\\SysWOW64\\RDPNCY\\RVG.exe" RVG.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
6ef9b0bb0b132bd677d8cabb3af3c2a1.exeRVG.exedescription ioc process File created C:\Windows\SysWOW64\RDPNCY\RVG.004 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe File created C:\Windows\SysWOW64\RDPNCY\RVG.001 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe File created C:\Windows\SysWOW64\RDPNCY\RVG.002 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe File created C:\Windows\SysWOW64\RDPNCY\RVG.exe 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe File opened for modification C:\Windows\SysWOW64\RDPNCY\ RVG.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RVG.exedescription pid process Token: 33 4428 RVG.exe Token: SeIncBasePriorityPrivilege 4428 RVG.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
RVG.exepid process 4428 RVG.exe 4428 RVG.exe 4428 RVG.exe 4428 RVG.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
6ef9b0bb0b132bd677d8cabb3af3c2a1.exedescription pid process target process PID 2296 wrote to memory of 4428 2296 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe RVG.exe PID 2296 wrote to memory of 4428 2296 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe RVG.exe PID 2296 wrote to memory of 4428 2296 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe RVG.exe PID 2296 wrote to memory of 3420 2296 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe creador adarve.exe PID 2296 wrote to memory of 3420 2296 6ef9b0bb0b132bd677d8cabb3af3c2a1.exe creador adarve.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ef9b0bb0b132bd677d8cabb3af3c2a1.exe"C:\Users\Admin\AppData\Local\Temp\6ef9b0bb0b132bd677d8cabb3af3c2a1.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\RDPNCY\RVG.exe"C:\Windows\system32\RDPNCY\RVG.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\creador adarve.exe"C:\Users\Admin\AppData\Local\Temp\creador adarve.exe"2⤵
- Executes dropped EXE
PID:3420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5e913ba237c90f9d0b378e826fe93807b
SHA187094ae3fb5341ea3f0e900115f55958664227ab
SHA2568d79af37763ff0f6a8f46dbcd5ce2666246c5d02a819d7b6366ea23d03960238
SHA512d5a9a49e302f5332238ef039c846d1b46baa551400dd88188294dca61ffb16624cc69cfba97b25e1b3a41b9bd9dc97c1564c81aff90bf4ba218b6300f916cc4d
-
Filesize
61KB
MD531c866d8e4448c28ae63660a0521cd92
SHA10e4dcb44e3c8589688b8eacdd8cc463a920baab9
SHA256dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1
SHA5121076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839
-
Filesize
43KB
MD5093e599a1281e943ce1592f61d9591af
SHA16896810fe9b7efe4f5ae68bf280fec637e97adf5
SHA2561ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009
SHA51264cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc
-
Filesize
1KB
MD55235b2a320917546d361fec9f4d00de4
SHA13e1ec15b81dd2baba12bc19e7eac8319bfa5370d
SHA25674c4591134f4bd771e2bbde7e31c48f780909fd7e76389949b4388127bd79535
SHA512bfc91323bc9015121f9a5c73647288e84e68d0e97bd3f2ebf87a412ca277e3e7ff48f9602673db1ccd5481a7448f999c9b8c52a6a833a5f604a52e0f2304001d
-
Filesize
1.5MB
MD50aaffc12ef1b416b9276bdc3fdec9dff
SHA19f38d7cf6241d867da58f89db9ff26544314b938
SHA25642b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b
SHA512bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c