Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-01-2024 07:42
Static task
static1
Behavioral task
behavioral1
Sample
6f1b274afb60566d225a99686230e5fc.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6f1b274afb60566d225a99686230e5fc.exe
Resource
win10v2004-20231222-en
General
-
Target
6f1b274afb60566d225a99686230e5fc.exe
-
Size
1.3MB
-
MD5
6f1b274afb60566d225a99686230e5fc
-
SHA1
3822be9e24b9f70ef74f76954bc16f4e94716681
-
SHA256
68e97dd1957f856617147605fed67146f308e66a620bf871a282ee32468954eb
-
SHA512
c81b507c483fd09695934431f8e213802de0029e9c1ffc24bd47e1a2c9770082515dcebf61fc8e6374345f72d62a1896669ab7cb8ffaa3c5982cda08f43df058
-
SSDEEP
24576:93LJTrwiuXZgMbTgN0vpOJrZiv2f5Jr+sAaXZCWdYx4uamwqIqkALq2WOLry5:93tTreZJWBM+RjQWmamwtqBLLC
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule \Windows\PKSQOU\GQH.exe family_ardamax -
Executes dropped EXE 1 IoCs
Processes:
GQH.exepid process 2564 GQH.exe -
Loads dropped DLL 2 IoCs
Processes:
6f1b274afb60566d225a99686230e5fc.exeGQH.exepid process 2344 6f1b274afb60566d225a99686230e5fc.exe 2564 GQH.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
GQH.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GQH Start = "C:\\Windows\\PKSQOU\\GQH.exe" GQH.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 6 IoCs
Processes:
6f1b274afb60566d225a99686230e5fc.exeGQH.exedescription ioc process File created C:\Windows\PKSQOU\AKV.exe 6f1b274afb60566d225a99686230e5fc.exe File created C:\Windows\PKSQOU\GQH.exe 6f1b274afb60566d225a99686230e5fc.exe File opened for modification C:\Windows\PKSQOU\ GQH.exe File created C:\Windows\PKSQOU\GQH.004 6f1b274afb60566d225a99686230e5fc.exe File created C:\Windows\PKSQOU\GQH.001 6f1b274afb60566d225a99686230e5fc.exe File created C:\Windows\PKSQOU\GQH.002 6f1b274afb60566d225a99686230e5fc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
GQH.exepid process 2564 GQH.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
GQH.exedescription pid process Token: 33 2564 GQH.exe Token: SeIncBasePriorityPrivilege 2564 GQH.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
GQH.exepid process 2564 GQH.exe 2564 GQH.exe 2564 GQH.exe 2564 GQH.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6f1b274afb60566d225a99686230e5fc.exedescription pid process target process PID 2344 wrote to memory of 2564 2344 6f1b274afb60566d225a99686230e5fc.exe GQH.exe PID 2344 wrote to memory of 2564 2344 6f1b274afb60566d225a99686230e5fc.exe GQH.exe PID 2344 wrote to memory of 2564 2344 6f1b274afb60566d225a99686230e5fc.exe GQH.exe PID 2344 wrote to memory of 2564 2344 6f1b274afb60566d225a99686230e5fc.exe GQH.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f1b274afb60566d225a99686230e5fc.exe"C:\Users\Admin\AppData\Local\Temp\6f1b274afb60566d225a99686230e5fc.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\PKSQOU\GQH.exe"C:\Windows\PKSQOU\GQH.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
489KB
MD50725c70d7b45945089905464a2710dc8
SHA1a47223eb378919afc8c2a6af6b031bca12eacaae
SHA2565340cf0385c1ccf9a5f01e9bbcb68474d5760c1c60bd87772fbd8a498208a3c5
SHA5123b95b3c582c2df9a59c2aaa5e9f04ea093dda8b53a7df4b966d46c6f61643e8beed3e3cca0e784301f5f14ea17e2520ecf10dca0ae805e5b31bd51ac94d10888
-
Filesize
44KB
MD51db8aa9ffda07a5f5559cbf25087147b
SHA1eea77894bff8e24fb0861159927f67decb629184
SHA2568cf369255b48195b8ecec1c7bf2e76924641880aa7311e6cf504ca534bbfcd62
SHA512b9f80191dd8975c2e484eeec1bc7c6212d1b614061e69d96eda87b7a061a78a34de220f22607c3eb1c0fa37f152744a5c8f65a896e2884a9daf969db54a11704
-
Filesize
1KB
MD5654b8c8ab1402317ee9ca99b86323e72
SHA19ed07abda3afc7b6cdf64a13469b0f2715bcc4a9
SHA256c1096420bbc655cc5cb2c327c38b3fae704fd1f755f74d1780e6ec673a0c88ce
SHA512c08f3b0c00d7e928fd2f10bd2907e101701b72caeb00765b708d1c8adf020afc0366c93aab06e2befbf516a1218c31033cd1cf2eeebf2e9ef85b1817d715217c
-
Filesize
61KB
MD5513c67ebf0379f75a6920540283a4579
SHA12fe191acb478d62026a8dbf63f65619d168ddee6
SHA2568f636876880c59251548fca626731e648553e0b81b02f4667c22cbfadfbd6e30
SHA5122330f5bbd8d7de91473430bc35a125fe13b261afa5b4ef9533d4d6ebcde6cfe27f705fccbdefa092eb9123eb33dcc1448deab72adab981726517afe458beb01d
-
Filesize
1.7MB
MD57dc8f94e34ad6f38e94f957043c39617
SHA1081a26dc478bd3de6f2889b9c8da8b2e79723d8b
SHA256618fb51d23c0ca116dbd24dc5e0240ebda862e405283d64871549321fde08202
SHA512539c239670369f34e7907d072bdf6b91becb927454db3212b0c307363289b1900edffa2f9fac22d3d14435fcee28b7bdeee1f039f027d74f84627c85774b9f56