Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 12:41
Static task
static1
Behavioral task
behavioral1
Sample
74b80a2d154807e988ef4d9923c7641c.exe
Resource
win7-20231215-en
General
-
Target
74b80a2d154807e988ef4d9923c7641c.exe
-
Size
662KB
-
MD5
74b80a2d154807e988ef4d9923c7641c
-
SHA1
36778048ea00af2ddabaa873428ba1083596f6b1
-
SHA256
5f5969a2c2893e169939e6a413c2888303d67c9071d3d8cc6ed7857ff0cfb95e
-
SHA512
9e7676778b0967b6329065218237f314a1b1143e4b789b460f7d22d0fc174000809aa08a3b98f0d87d043251bf2878d0a29c36fa9f935c085c98408bcca1891d
-
SSDEEP
12288:Unr4sb7oaU4cSVYxk+++Cvi44aJyoUlDafJ2nRvvI/mgDRgLdMZtpj:UrjbkJ9xk++fiocoUlDnnRvOmg9g5ML5
Malware Config
Signatures
-
Ardamax main executable 4 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\28463\FAHD.exe family_ardamax \Windows\SysWOW64\28463\FAHD.exe family_ardamax C:\Windows\SysWOW64\28463\FAHD.exe family_ardamax C:\Windows\SysWOW64\28463\FAHD.exe family_ardamax -
Executes dropped EXE 3 IoCs
Processes:
Install.exeten.exeFAHD.exepid process 1072 Install.exe 2776 ten.exe 2828 FAHD.exe -
Loads dropped DLL 11 IoCs
Processes:
74b80a2d154807e988ef4d9923c7641c.exeInstall.exeFAHD.exepid process 3068 74b80a2d154807e988ef4d9923c7641c.exe 3068 74b80a2d154807e988ef4d9923c7641c.exe 1072 Install.exe 1072 Install.exe 1072 Install.exe 1072 Install.exe 1072 Install.exe 2828 FAHD.exe 2828 FAHD.exe 2828 FAHD.exe 2828 FAHD.exe -
Processes:
resource yara_rule behavioral1/memory/2776-23-0x0000000000400000-0x0000000000433000-memory.dmp upx C:\Windows\SysWOW64\ten.exe upx behavioral1/memory/2776-27-0x0000000000400000-0x0000000000433000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
FAHD.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FAHD Agent = "C:\\Windows\\SysWOW64\\28463\\FAHD.exe" FAHD.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 8 IoCs
Processes:
FAHD.exe74b80a2d154807e988ef4d9923c7641c.exeInstall.exedescription ioc process File opened for modification C:\Windows\SysWOW64\28463 FAHD.exe File created C:\Windows\SysWOW64\Install.exe 74b80a2d154807e988ef4d9923c7641c.exe File created C:\Windows\SysWOW64\ten.exe 74b80a2d154807e988ef4d9923c7641c.exe File created C:\Windows\SysWOW64\28463\FAHD.001 Install.exe File created C:\Windows\SysWOW64\28463\FAHD.006 Install.exe File created C:\Windows\SysWOW64\28463\FAHD.007 Install.exe File created C:\Windows\SysWOW64\28463\FAHD.exe Install.exe File created C:\Windows\SysWOW64\28463\key.bin Install.exe -
Drops file in Windows directory 1 IoCs
Processes:
ten.exedescription ioc process File created C:\Windows\ARFXZ.$$A ten.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 35 IoCs
Processes:
FAHD.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Programmable\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0\win32\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\HELPDIR\ FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\InprocServer32 FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\ProgID\ = "msinkaut.InkCollector.1" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Programmable FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0 FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\FLAGS FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\HELPDIR FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\TypeLib\ = "{12177A99-131B-4570-0A64-8D9CC8CEE007}" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Version\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\FLAGS\ = "0" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\InprocServer32\ FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0 FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\FLAGS\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Version\ = "1.5" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\VersionIndependentProgID FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\VersionIndependentProgID\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\VersionIndependentProgID\ = "msinkaut.InkCollector" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007} FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0\win32 FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\ProgID FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\49" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\ProgID\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\ = "Groove tool template services 1.0 Type Library" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\TypeLib FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\TypeLib\ FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1} FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\ = "Sicapzope Livasi Acazi Object" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Version FAHD.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FAHD.exedescription pid process Token: 33 2828 FAHD.exe Token: SeIncBasePriorityPrivilege 2828 FAHD.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
FAHD.exepid process 2828 FAHD.exe 2828 FAHD.exe 2828 FAHD.exe 2828 FAHD.exe 2828 FAHD.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
74b80a2d154807e988ef4d9923c7641c.exeInstall.exedescription pid process target process PID 3068 wrote to memory of 1072 3068 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 3068 wrote to memory of 1072 3068 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 3068 wrote to memory of 1072 3068 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 3068 wrote to memory of 1072 3068 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 3068 wrote to memory of 1072 3068 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 3068 wrote to memory of 1072 3068 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 3068 wrote to memory of 1072 3068 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 3068 wrote to memory of 2776 3068 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 3068 wrote to memory of 2776 3068 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 3068 wrote to memory of 2776 3068 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 3068 wrote to memory of 2776 3068 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 3068 wrote to memory of 2776 3068 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 3068 wrote to memory of 2776 3068 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 3068 wrote to memory of 2776 3068 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 1072 wrote to memory of 2828 1072 Install.exe FAHD.exe PID 1072 wrote to memory of 2828 1072 Install.exe FAHD.exe PID 1072 wrote to memory of 2828 1072 Install.exe FAHD.exe PID 1072 wrote to memory of 2828 1072 Install.exe FAHD.exe PID 1072 wrote to memory of 2828 1072 Install.exe FAHD.exe PID 1072 wrote to memory of 2828 1072 Install.exe FAHD.exe PID 1072 wrote to memory of 2828 1072 Install.exe FAHD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Install.exe"C:\Windows\system32\Install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\28463\FAHD.exe"C:\Windows\system32\28463\FAHD.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\ten.exe"C:\Windows\system32\ten.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
470B
MD5aaddd93bb3db1717fe3b5dfcf18875a9
SHA17621645bfb8033d652903c1447884ffd380a8e4e
SHA256a1516ef8837625db18dc20cad3515689abbebbd94d0c16e21dc3aa30d051fe28
SHA512ce73f201b29507338ad75a1d7e5b82397afb0ebf266dc2771b6202ad4ffeeb0cfa5b017ba6868916b381bda1a45ef36925b261296c34a95b0fdea16f8998fab0
-
Filesize
8KB
MD5395bbef326fa5ad1216b23f5debf167b
SHA1aa4a7334b5a693b3f0d6f47b568e0d13a593d782
SHA2567c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1
SHA512dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679
-
Filesize
5KB
MD51b5e72f0ebd49cf146f9ae68d792ffe5
SHA11e90a69c12b9a849fbbac0670296b07331c1cf87
SHA2568f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e
SHA5126364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc
-
Filesize
649KB
MD52709fd329d26dbf992210e88d0ed2bb4
SHA16831506d36aa3c21f9a8c6826aeb6013186e6898
SHA256fa5c3022a4b14b130a035cfff276e3482f78ec23906bc5f0c46587317aff99a1
SHA512223d7ae105ce9d0ad38fc84c2c50f6e0aa4b16e3e126ace5e98b2cd0f389705134e4903ec8bc2d9302c5ec4dee0b2f605407c59e262d385b2b45ce80a15a7d00
-
Filesize
648KB
MD5a8ae9617e3bce190abb4373e1cda3f18
SHA18178b8dad8f9e9999df8d22f485ba7a94d447e44
SHA256b5b1b60511c400798d68b0d05f700bbc9739a03f374352870657b80b1eafbc30
SHA512f45eab95d7fc5b46534977795b76862dc7f6bd1c40a7dd9a144ab9bc47af066b2e468973d239d3e900819d5e4b0fdaa97bb4846975fabe365997c88e6661f6d5
-
Filesize
105B
MD527c90d4d9b049f4cd00f32ed1d2e5baf
SHA1338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae
-
Filesize
456KB
MD5d9ea462cec53336f9a45057eb3a56147
SHA1a2faac2b64a644f051a696cf8555ce144bb485fa
SHA2569964e6da949b5613268f8f4a4ec80c8278a092f17712dee09ae8d7f9d6982991
SHA512ff6c03853f6c3d8eab2ba07d01762adb51c7de3ab76db987132d5a94f484af10fad765704b7597cb89dea17ef7e352719e7468eeb4f026c53b245cf7bb9270fd
-
Filesize
567KB
MD5248c17669183440a6e551be22cbb259d
SHA1424a2d7b686d819f4a2c10c1d73f32d7dac3c44f
SHA25693d916053f485995906aa1f6f956c8676811196df10b7c642d90819a9fb13ac3
SHA5129be76282d2de512e53eb06d6b26153b874d400e16f4ea960a5408c5a9af4ba9083623f5e261c7a8a32c5f56ba2929159158047b285bd465a755c958defe19063
-
Filesize
92KB
MD5692eae85521e98c363fff6b7b48d6c39
SHA11aa2d68abe360be10dea980ec41b5321a2b0306a
SHA2560e23ac39b2daf7d5b238f72ad101c0dd202ba42d3c1bf29701c8ba1936bb0d7d
SHA51216a4b4c2e135c5bba779d0913e041e4599c460a56dd3782d608843ff767f8484fb15bc2c20664714b7b2d28ab940e60f1751e2e54e5eb2c2c1f1051fd05d47d3
-
Filesize
4KB
MD54b8ed89120fe8ddc31ddba07bc15372b
SHA1181e7ac3d444656f50c1cd02a6832708253428e6
SHA2562ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93
SHA51249269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23
-
Filesize
17KB
MD57f0d0aa2e3d0ca720a1bd9e11ce634c5
SHA117fe92950ccb893415c8450542a63a62a3471117
SHA256f2a7935fc5bbbee10e3aba109e44d269b4edd68ada5829090d4c39985b11abac
SHA51220fa6f3275a770732a6d101cedfa71673559f623b1b4bcc1c266b2708d476ed4dd6b2452a311f8f2481dae09e37b06247ec8961184f0e30e614039ecc666c1e1
-
Filesize
96KB
MD5d215c21f47ef99bafe6fe2806f681b24
SHA1b2665d920c74db75c6cb79e9b540b746643da2d9
SHA25608e73482b860921dab332ae6a6b473dd1c0fc34331eaa0ffe7fc5852e3b8d9d7
SHA512a7f319432191f946a00bc468c4584303233b427344c15c5307dd800f9da94ca85bbbbaf4fc84d2340b52f84dcbfdb0eadb1e10956b3fe01d14e306fa8fb4295a
-
Filesize
415KB
MD5ae5cbf62d4d8bbae1f9a0205dd8c204c
SHA19de63bea2162a1df9f47dfc539950a55f473fe78
SHA2569bf1374cfbef0ce2339d5fed3a98f5eb44df47f38f70dea9baccf3f228e15585
SHA5123e8faf1872df096f829485e59637be46941eb51ecaf4d376181bd14e3c0258793840cce8dd1d9632cce44346fbff8ca01c90c09f9e757ed8449459705c884aa5
-
Filesize
501KB
MD5b6f6e45452433dae611b509091850009
SHA1af59ef222336644e79d3a1ad1354921bda10c0ed
SHA2565252f26f187164ad6e3547fafb87dde3a83aa046c54e1df5b02742b64a66d161
SHA512bb13dc7c63aa144bbc6635d79d0bbb7d32393f0f1575f8dac8cdbd173d9478a494f54429799888e682fd1800629d67be70e93f3d94cb3ce20f042fdebd9df5df
-
Filesize
288KB
MD5e012b45dd4336131ca57dd19ced90a19
SHA189599db18bdaa3fe1f6c689e933b7f4217ba83ed
SHA2563702158e724d4d8763b72dc98f694df1a2d087ba196e3bb1ca48a0c611e6d8d0
SHA512e0721fb0d0bf634ee0bc898efe00cbee4c2a651a2f94748ba7c9cddb01f8909c73353a36b48ee50eb8aea057836678bfae8ed4675dbc5d9b4b01f46682e44833
-
Filesize
391KB
MD588c4198144891c867237d80daa82bf12
SHA1c2e0794514e43b3079e590122891f6c1fcfa85ac
SHA256f3976f840a95648bbcffe606d1d06f26592c28eec0b8fe3a55d39b68f3d31125
SHA5122bf074556a895bcfa31cd871b2c463edc84e31ed99617a14a9e51b0ff712dd19b0f220336cdaf61f70753743f57f16cbdab6efda872b8977701e989f2f92f48f