Analysis

  • max time kernel
    148s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2024 12:41

General

  • Target

    74b80a2d154807e988ef4d9923c7641c.exe

  • Size

    662KB

  • MD5

    74b80a2d154807e988ef4d9923c7641c

  • SHA1

    36778048ea00af2ddabaa873428ba1083596f6b1

  • SHA256

    5f5969a2c2893e169939e6a413c2888303d67c9071d3d8cc6ed7857ff0cfb95e

  • SHA512

    9e7676778b0967b6329065218237f314a1b1143e4b789b460f7d22d0fc174000809aa08a3b98f0d87d043251bf2878d0a29c36fa9f935c085c98408bcca1891d

  • SSDEEP

    12288:Unr4sb7oaU4cSVYxk+++Cvi44aJyoUlDafJ2nRvvI/mgDRgLdMZtpj:UrjbkJ9xk++fiocoUlDnnRvOmg9g5ML5

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe
    "C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Windows\SysWOW64\ten.exe
      "C:\Windows\system32\ten.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:3496
    • C:\Windows\SysWOW64\Install.exe
      "C:\Windows\system32\Install.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\28463\FAHD.exe
        "C:\Windows\system32\28463\FAHD.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@42D5.tmp

    Filesize

    4KB

    MD5

    4b8ed89120fe8ddc31ddba07bc15372b

    SHA1

    181e7ac3d444656f50c1cd02a6832708253428e6

    SHA256

    2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

    SHA512

    49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

  • C:\Windows\SysWOW64\28463\FAHD.001

    Filesize

    470B

    MD5

    aaddd93bb3db1717fe3b5dfcf18875a9

    SHA1

    7621645bfb8033d652903c1447884ffd380a8e4e

    SHA256

    a1516ef8837625db18dc20cad3515689abbebbd94d0c16e21dc3aa30d051fe28

    SHA512

    ce73f201b29507338ad75a1d7e5b82397afb0ebf266dc2771b6202ad4ffeeb0cfa5b017ba6868916b381bda1a45ef36925b261296c34a95b0fdea16f8998fab0

  • C:\Windows\SysWOW64\28463\FAHD.006

    Filesize

    8KB

    MD5

    395bbef326fa5ad1216b23f5debf167b

    SHA1

    aa4a7334b5a693b3f0d6f47b568e0d13a593d782

    SHA256

    7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

    SHA512

    dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

  • C:\Windows\SysWOW64\28463\FAHD.007

    Filesize

    5KB

    MD5

    1b5e72f0ebd49cf146f9ae68d792ffe5

    SHA1

    1e90a69c12b9a849fbbac0670296b07331c1cf87

    SHA256

    8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

    SHA512

    6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

  • C:\Windows\SysWOW64\28463\FAHD.exe

    Filesize

    649KB

    MD5

    2709fd329d26dbf992210e88d0ed2bb4

    SHA1

    6831506d36aa3c21f9a8c6826aeb6013186e6898

    SHA256

    fa5c3022a4b14b130a035cfff276e3482f78ec23906bc5f0c46587317aff99a1

    SHA512

    223d7ae105ce9d0ad38fc84c2c50f6e0aa4b16e3e126ace5e98b2cd0f389705134e4903ec8bc2d9302c5ec4dee0b2f605407c59e262d385b2b45ce80a15a7d00

  • C:\Windows\SysWOW64\28463\key.bin

    Filesize

    105B

    MD5

    27c90d4d9b049f4cd00f32ed1d2e5baf

    SHA1

    338a3ea8f1e929d8916ece9b6e91e697eb562550

    SHA256

    172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

    SHA512

    d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

  • C:\Windows\SysWOW64\Install.exe

    Filesize

    82KB

    MD5

    94be864f52c017301c4a5677ff4d1588

    SHA1

    d1d356df73855d44ffac7ee5c5cc307735ec1a1f

    SHA256

    55d54a0f058fc8c698f9cb8555a1ff4e28dc62c8bf57a8fc8d85bd148025d94c

    SHA512

    fdcf532640ab17333987a35697d819d704a4e3dc47848d737cb17fe6c13bf5258faaca71c46ab8a251d34735900e815d9d31211c8eb22e19a27909fb10195706

  • C:\Windows\SysWOW64\Install.exe

    Filesize

    243KB

    MD5

    b076e422cb28f37c5d29157b7b8aa96e

    SHA1

    0f8c637a89ca4d0258666bd8ca35915c5f188790

    SHA256

    bbe943b4473c3c40efc385a17afcabd84d3ad8dea9a46c77e2a71c8910aff844

    SHA512

    77f0da83de6fa920c9c44de3a589b23b2d520701a363d40ed79490fc68431e46e8607c41423781d774b7235e4fac02b287edbecb46cf12251a585090e7ca0854

  • C:\Windows\SysWOW64\Install.exe

    Filesize

    174KB

    MD5

    c04ad59777b9f1d796d7463d27764582

    SHA1

    bfe2c17f294e123a7ece9d82413309fa62c3194e

    SHA256

    48f9fb1932465b5d3f5659d59ec606b2dd1114f9da8add0caf5d82a781fcc7f7

    SHA512

    f6b272f105cef301bbfa6b27a8af99879d2c2c5a30a808bae1b71c70a0615938eea94479db8d2e992e893b68b0fd8fd2bda70c9056d721ae45f53516e120cefe

  • C:\Windows\SysWOW64\ten.exe

    Filesize

    92KB

    MD5

    692eae85521e98c363fff6b7b48d6c39

    SHA1

    1aa2d68abe360be10dea980ec41b5321a2b0306a

    SHA256

    0e23ac39b2daf7d5b238f72ad101c0dd202ba42d3c1bf29701c8ba1936bb0d7d

    SHA512

    16a4b4c2e135c5bba779d0913e041e4599c460a56dd3782d608843ff767f8484fb15bc2c20664714b7b2d28ab940e60f1751e2e54e5eb2c2c1f1051fd05d47d3

  • memory/1276-95-0x00000000038D0000-0x00000000038D1000-memory.dmp

    Filesize

    4KB

  • memory/1276-91-0x0000000003860000-0x0000000003861000-memory.dmp

    Filesize

    4KB

  • memory/1276-48-0x00000000023F0000-0x00000000023F1000-memory.dmp

    Filesize

    4KB

  • memory/1276-49-0x0000000002410000-0x0000000002411000-memory.dmp

    Filesize

    4KB

  • memory/1276-50-0x00000000023D0000-0x00000000023D1000-memory.dmp

    Filesize

    4KB

  • memory/1276-52-0x0000000003220000-0x0000000003221000-memory.dmp

    Filesize

    4KB

  • memory/1276-54-0x0000000003280000-0x0000000003281000-memory.dmp

    Filesize

    4KB

  • memory/1276-55-0x00000000023B0000-0x00000000023B1000-memory.dmp

    Filesize

    4KB

  • memory/1276-53-0x0000000003210000-0x0000000003213000-memory.dmp

    Filesize

    12KB

  • memory/1276-51-0x0000000002390000-0x0000000002391000-memory.dmp

    Filesize

    4KB

  • memory/1276-47-0x0000000002400000-0x0000000002401000-memory.dmp

    Filesize

    4KB

  • memory/1276-44-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/1276-67-0x0000000002640000-0x0000000002641000-memory.dmp

    Filesize

    4KB

  • memory/1276-66-0x00000000024E0000-0x00000000024E1000-memory.dmp

    Filesize

    4KB

  • memory/1276-81-0x0000000003470000-0x0000000003471000-memory.dmp

    Filesize

    4KB

  • memory/1276-82-0x00000000034A0000-0x00000000034A1000-memory.dmp

    Filesize

    4KB

  • memory/1276-108-0x00000000050F0000-0x00000000050F1000-memory.dmp

    Filesize

    4KB

  • memory/1276-107-0x00000000050D0000-0x00000000050D1000-memory.dmp

    Filesize

    4KB

  • memory/1276-106-0x0000000003910000-0x0000000003911000-memory.dmp

    Filesize

    4KB

  • memory/1276-105-0x0000000003980000-0x0000000003981000-memory.dmp

    Filesize

    4KB

  • memory/1276-104-0x0000000003990000-0x0000000003991000-memory.dmp

    Filesize

    4KB

  • memory/1276-103-0x0000000003960000-0x0000000003961000-memory.dmp

    Filesize

    4KB

  • memory/1276-102-0x0000000003970000-0x0000000003971000-memory.dmp

    Filesize

    4KB

  • memory/1276-101-0x0000000003940000-0x0000000003941000-memory.dmp

    Filesize

    4KB

  • memory/1276-100-0x0000000003950000-0x0000000003951000-memory.dmp

    Filesize

    4KB

  • memory/1276-99-0x0000000003920000-0x0000000003921000-memory.dmp

    Filesize

    4KB

  • memory/1276-98-0x0000000003930000-0x0000000003931000-memory.dmp

    Filesize

    4KB

  • memory/1276-97-0x00000000038F0000-0x00000000038F1000-memory.dmp

    Filesize

    4KB

  • memory/1276-128-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/1276-96-0x0000000003900000-0x0000000003901000-memory.dmp

    Filesize

    4KB

  • memory/1276-125-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

  • memory/1276-93-0x0000000003880000-0x0000000003881000-memory.dmp

    Filesize

    4KB

  • memory/1276-92-0x0000000003890000-0x0000000003891000-memory.dmp

    Filesize

    4KB

  • memory/1276-45-0x00000000021C0000-0x000000000221A000-memory.dmp

    Filesize

    360KB

  • memory/1276-90-0x0000000003500000-0x0000000003501000-memory.dmp

    Filesize

    4KB

  • memory/1276-89-0x0000000003510000-0x0000000003511000-memory.dmp

    Filesize

    4KB

  • memory/1276-88-0x00000000034E0000-0x00000000034E1000-memory.dmp

    Filesize

    4KB

  • memory/1276-87-0x00000000034F0000-0x00000000034F1000-memory.dmp

    Filesize

    4KB

  • memory/1276-86-0x0000000003270000-0x0000000003271000-memory.dmp

    Filesize

    4KB

  • memory/1276-85-0x00000000034B0000-0x00000000034B1000-memory.dmp

    Filesize

    4KB

  • memory/1276-84-0x00000000034D0000-0x00000000034D1000-memory.dmp

    Filesize

    4KB

  • memory/1276-83-0x0000000003490000-0x0000000003491000-memory.dmp

    Filesize

    4KB

  • memory/1276-80-0x0000000003480000-0x0000000003481000-memory.dmp

    Filesize

    4KB

  • memory/1276-79-0x0000000003450000-0x0000000003451000-memory.dmp

    Filesize

    4KB

  • memory/1276-78-0x0000000003460000-0x0000000003461000-memory.dmp

    Filesize

    4KB

  • memory/1276-77-0x0000000003430000-0x0000000003431000-memory.dmp

    Filesize

    4KB

  • memory/1276-76-0x0000000003440000-0x0000000003441000-memory.dmp

    Filesize

    4KB

  • memory/1276-75-0x0000000003410000-0x0000000003411000-memory.dmp

    Filesize

    4KB

  • memory/1276-74-0x0000000003420000-0x0000000003421000-memory.dmp

    Filesize

    4KB

  • memory/1276-73-0x00000000033F0000-0x00000000033F1000-memory.dmp

    Filesize

    4KB

  • memory/1276-72-0x0000000003400000-0x0000000003401000-memory.dmp

    Filesize

    4KB

  • memory/1276-71-0x00000000033D0000-0x00000000033D1000-memory.dmp

    Filesize

    4KB

  • memory/1276-70-0x00000000033E0000-0x00000000033E1000-memory.dmp

    Filesize

    4KB

  • memory/1276-69-0x00000000033B0000-0x00000000033B1000-memory.dmp

    Filesize

    4KB

  • memory/1276-68-0x00000000033C0000-0x00000000033C1000-memory.dmp

    Filesize

    4KB

  • memory/1276-65-0x0000000002590000-0x0000000002591000-memory.dmp

    Filesize

    4KB

  • memory/1276-64-0x0000000003230000-0x0000000003231000-memory.dmp

    Filesize

    4KB

  • memory/1276-63-0x0000000002160000-0x0000000002161000-memory.dmp

    Filesize

    4KB

  • memory/1276-56-0x0000000003260000-0x0000000003261000-memory.dmp

    Filesize

    4KB

  • memory/1276-59-0x0000000000530000-0x0000000000531000-memory.dmp

    Filesize

    4KB

  • memory/1276-58-0x0000000002420000-0x0000000002421000-memory.dmp

    Filesize

    4KB

  • memory/1276-57-0x0000000002370000-0x0000000002371000-memory.dmp

    Filesize

    4KB

  • memory/1596-0-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

  • memory/1596-2-0x0000000000A50000-0x0000000000A52000-memory.dmp

    Filesize

    8KB

  • memory/1596-1-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

  • memory/1596-26-0x0000000000400000-0x00000000004B1000-memory.dmp

    Filesize

    708KB

  • memory/3496-29-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/3496-28-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB