Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-01-2024 12:41

General

  • Target

    74b80a2d154807e988ef4d9923c7641c.exe

  • Size

    662KB

  • MD5

    74b80a2d154807e988ef4d9923c7641c

  • SHA1

    36778048ea00af2ddabaa873428ba1083596f6b1

  • SHA256

    5f5969a2c2893e169939e6a413c2888303d67c9071d3d8cc6ed7857ff0cfb95e

  • SHA512

    9e7676778b0967b6329065218237f314a1b1143e4b789b460f7d22d0fc174000809aa08a3b98f0d87d043251bf2878d0a29c36fa9f935c085c98408bcca1891d

  • SSDEEP

    12288:Unr4sb7oaU4cSVYxk+++Cvi44aJyoUlDafJ2nRvvI/mgDRgLdMZtpj:UrjbkJ9xk++fiocoUlDnnRvOmg9g5ML5

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe
    "C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\Install.exe
      "C:\Windows\system32\Install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\SysWOW64\28463\FAHD.exe
        "C:\Windows\system32\28463\FAHD.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2828
    • C:\Windows\SysWOW64\ten.exe
      "C:\Windows\system32\ten.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\28463\FAHD.001

    Filesize

    470B

    MD5

    aaddd93bb3db1717fe3b5dfcf18875a9

    SHA1

    7621645bfb8033d652903c1447884ffd380a8e4e

    SHA256

    a1516ef8837625db18dc20cad3515689abbebbd94d0c16e21dc3aa30d051fe28

    SHA512

    ce73f201b29507338ad75a1d7e5b82397afb0ebf266dc2771b6202ad4ffeeb0cfa5b017ba6868916b381bda1a45ef36925b261296c34a95b0fdea16f8998fab0

  • C:\Windows\SysWOW64\28463\FAHD.006

    Filesize

    8KB

    MD5

    395bbef326fa5ad1216b23f5debf167b

    SHA1

    aa4a7334b5a693b3f0d6f47b568e0d13a593d782

    SHA256

    7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

    SHA512

    dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

  • C:\Windows\SysWOW64\28463\FAHD.007

    Filesize

    5KB

    MD5

    1b5e72f0ebd49cf146f9ae68d792ffe5

    SHA1

    1e90a69c12b9a849fbbac0670296b07331c1cf87

    SHA256

    8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

    SHA512

    6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

  • C:\Windows\SysWOW64\28463\FAHD.exe

    Filesize

    649KB

    MD5

    2709fd329d26dbf992210e88d0ed2bb4

    SHA1

    6831506d36aa3c21f9a8c6826aeb6013186e6898

    SHA256

    fa5c3022a4b14b130a035cfff276e3482f78ec23906bc5f0c46587317aff99a1

    SHA512

    223d7ae105ce9d0ad38fc84c2c50f6e0aa4b16e3e126ace5e98b2cd0f389705134e4903ec8bc2d9302c5ec4dee0b2f605407c59e262d385b2b45ce80a15a7d00

  • C:\Windows\SysWOW64\28463\FAHD.exe

    Filesize

    648KB

    MD5

    a8ae9617e3bce190abb4373e1cda3f18

    SHA1

    8178b8dad8f9e9999df8d22f485ba7a94d447e44

    SHA256

    b5b1b60511c400798d68b0d05f700bbc9739a03f374352870657b80b1eafbc30

    SHA512

    f45eab95d7fc5b46534977795b76862dc7f6bd1c40a7dd9a144ab9bc47af066b2e468973d239d3e900819d5e4b0fdaa97bb4846975fabe365997c88e6661f6d5

  • C:\Windows\SysWOW64\28463\key.bin

    Filesize

    105B

    MD5

    27c90d4d9b049f4cd00f32ed1d2e5baf

    SHA1

    338a3ea8f1e929d8916ece9b6e91e697eb562550

    SHA256

    172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

    SHA512

    d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

  • C:\Windows\SysWOW64\Install.exe

    Filesize

    456KB

    MD5

    d9ea462cec53336f9a45057eb3a56147

    SHA1

    a2faac2b64a644f051a696cf8555ce144bb485fa

    SHA256

    9964e6da949b5613268f8f4a4ec80c8278a092f17712dee09ae8d7f9d6982991

    SHA512

    ff6c03853f6c3d8eab2ba07d01762adb51c7de3ab76db987132d5a94f484af10fad765704b7597cb89dea17ef7e352719e7468eeb4f026c53b245cf7bb9270fd

  • C:\Windows\SysWOW64\Install.exe

    Filesize

    567KB

    MD5

    248c17669183440a6e551be22cbb259d

    SHA1

    424a2d7b686d819f4a2c10c1d73f32d7dac3c44f

    SHA256

    93d916053f485995906aa1f6f956c8676811196df10b7c642d90819a9fb13ac3

    SHA512

    9be76282d2de512e53eb06d6b26153b874d400e16f4ea960a5408c5a9af4ba9083623f5e261c7a8a32c5f56ba2929159158047b285bd465a755c958defe19063

  • C:\Windows\SysWOW64\ten.exe

    Filesize

    92KB

    MD5

    692eae85521e98c363fff6b7b48d6c39

    SHA1

    1aa2d68abe360be10dea980ec41b5321a2b0306a

    SHA256

    0e23ac39b2daf7d5b238f72ad101c0dd202ba42d3c1bf29701c8ba1936bb0d7d

    SHA512

    16a4b4c2e135c5bba779d0913e041e4599c460a56dd3782d608843ff767f8484fb15bc2c20664714b7b2d28ab940e60f1751e2e54e5eb2c2c1f1051fd05d47d3

  • \Users\Admin\AppData\Local\Temp\@40A8.tmp

    Filesize

    4KB

    MD5

    4b8ed89120fe8ddc31ddba07bc15372b

    SHA1

    181e7ac3d444656f50c1cd02a6832708253428e6

    SHA256

    2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

    SHA512

    49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

  • \Windows\SysWOW64\28463\FAHD.exe

    Filesize

    17KB

    MD5

    7f0d0aa2e3d0ca720a1bd9e11ce634c5

    SHA1

    17fe92950ccb893415c8450542a63a62a3471117

    SHA256

    f2a7935fc5bbbee10e3aba109e44d269b4edd68ada5829090d4c39985b11abac

    SHA512

    20fa6f3275a770732a6d101cedfa71673559f623b1b4bcc1c266b2708d476ed4dd6b2452a311f8f2481dae09e37b06247ec8961184f0e30e614039ecc666c1e1

  • \Windows\SysWOW64\28463\FAHD.exe

    Filesize

    96KB

    MD5

    d215c21f47ef99bafe6fe2806f681b24

    SHA1

    b2665d920c74db75c6cb79e9b540b746643da2d9

    SHA256

    08e73482b860921dab332ae6a6b473dd1c0fc34331eaa0ffe7fc5852e3b8d9d7

    SHA512

    a7f319432191f946a00bc468c4584303233b427344c15c5307dd800f9da94ca85bbbbaf4fc84d2340b52f84dcbfdb0eadb1e10956b3fe01d14e306fa8fb4295a

  • \Windows\SysWOW64\Install.exe

    Filesize

    415KB

    MD5

    ae5cbf62d4d8bbae1f9a0205dd8c204c

    SHA1

    9de63bea2162a1df9f47dfc539950a55f473fe78

    SHA256

    9bf1374cfbef0ce2339d5fed3a98f5eb44df47f38f70dea9baccf3f228e15585

    SHA512

    3e8faf1872df096f829485e59637be46941eb51ecaf4d376181bd14e3c0258793840cce8dd1d9632cce44346fbff8ca01c90c09f9e757ed8449459705c884aa5

  • \Windows\SysWOW64\Install.exe

    Filesize

    501KB

    MD5

    b6f6e45452433dae611b509091850009

    SHA1

    af59ef222336644e79d3a1ad1354921bda10c0ed

    SHA256

    5252f26f187164ad6e3547fafb87dde3a83aa046c54e1df5b02742b64a66d161

    SHA512

    bb13dc7c63aa144bbc6635d79d0bbb7d32393f0f1575f8dac8cdbd173d9478a494f54429799888e682fd1800629d67be70e93f3d94cb3ce20f042fdebd9df5df

  • \Windows\SysWOW64\Install.exe

    Filesize

    288KB

    MD5

    e012b45dd4336131ca57dd19ced90a19

    SHA1

    89599db18bdaa3fe1f6c689e933b7f4217ba83ed

    SHA256

    3702158e724d4d8763b72dc98f694df1a2d087ba196e3bb1ca48a0c611e6d8d0

    SHA512

    e0721fb0d0bf634ee0bc898efe00cbee4c2a651a2f94748ba7c9cddb01f8909c73353a36b48ee50eb8aea057836678bfae8ed4675dbc5d9b4b01f46682e44833

  • \Windows\SysWOW64\Install.exe

    Filesize

    391KB

    MD5

    88c4198144891c867237d80daa82bf12

    SHA1

    c2e0794514e43b3079e590122891f6c1fcfa85ac

    SHA256

    f3976f840a95648bbcffe606d1d06f26592c28eec0b8fe3a55d39b68f3d31125

    SHA512

    2bf074556a895bcfa31cd871b2c463edc84e31ed99617a14a9e51b0ff712dd19b0f220336cdaf61f70753743f57f16cbdab6efda872b8977701e989f2f92f48f

  • memory/1072-40-0x0000000002F70000-0x000000000304F000-memory.dmp

    Filesize

    892KB

  • memory/2776-27-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2776-23-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2828-56-0x00000000032C0000-0x00000000032C1000-memory.dmp

    Filesize

    4KB

  • memory/2828-55-0x00000000032A0000-0x00000000032A1000-memory.dmp

    Filesize

    4KB

  • memory/2828-46-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2828-45-0x0000000000270000-0x000000000034F000-memory.dmp

    Filesize

    892KB

  • memory/2828-49-0x00000000031E0000-0x00000000031E3000-memory.dmp

    Filesize

    12KB

  • memory/2828-44-0x0000000000270000-0x000000000034F000-memory.dmp

    Filesize

    892KB

  • memory/2828-73-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2828-71-0x0000000001D40000-0x0000000001D9A000-memory.dmp

    Filesize

    360KB

  • memory/2828-70-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/2828-65-0x00000000033D0000-0x00000000033D1000-memory.dmp

    Filesize

    4KB

  • memory/2828-50-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/2828-63-0x00000000033B0000-0x00000000033B1000-memory.dmp

    Filesize

    4KB

  • memory/2828-62-0x0000000003380000-0x0000000003381000-memory.dmp

    Filesize

    4KB

  • memory/2828-61-0x0000000003360000-0x0000000003361000-memory.dmp

    Filesize

    4KB

  • memory/2828-60-0x0000000003340000-0x0000000003341000-memory.dmp

    Filesize

    4KB

  • memory/2828-59-0x0000000003320000-0x0000000003321000-memory.dmp

    Filesize

    4KB

  • memory/2828-58-0x0000000003300000-0x0000000003301000-memory.dmp

    Filesize

    4KB

  • memory/2828-57-0x00000000032E0000-0x00000000032E1000-memory.dmp

    Filesize

    4KB

  • memory/2828-51-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

  • memory/2828-47-0x0000000001D40000-0x0000000001D9A000-memory.dmp

    Filesize

    360KB

  • memory/2828-54-0x0000000003280000-0x0000000003281000-memory.dmp

    Filesize

    4KB

  • memory/2828-53-0x0000000002610000-0x0000000002611000-memory.dmp

    Filesize

    4KB

  • memory/2828-52-0x00000000024B0000-0x00000000024B1000-memory.dmp

    Filesize

    4KB

  • memory/3068-15-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

  • memory/3068-1-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

  • memory/3068-3-0x0000000000230000-0x0000000000232000-memory.dmp

    Filesize

    8KB

  • memory/3068-16-0x00000000025C0000-0x00000000025F3000-memory.dmp

    Filesize

    204KB

  • memory/3068-0-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB