Analysis
-
max time kernel
148s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 12:41
Static task
static1
Behavioral task
behavioral1
Sample
74b80a2d154807e988ef4d9923c7641c.exe
Resource
win7-20231215-en
General
-
Target
74b80a2d154807e988ef4d9923c7641c.exe
-
Size
662KB
-
MD5
74b80a2d154807e988ef4d9923c7641c
-
SHA1
36778048ea00af2ddabaa873428ba1083596f6b1
-
SHA256
5f5969a2c2893e169939e6a413c2888303d67c9071d3d8cc6ed7857ff0cfb95e
-
SHA512
9e7676778b0967b6329065218237f314a1b1143e4b789b460f7d22d0fc174000809aa08a3b98f0d87d043251bf2878d0a29c36fa9f935c085c98408bcca1891d
-
SSDEEP
12288:Unr4sb7oaU4cSVYxk+++Cvi44aJyoUlDafJ2nRvvI/mgDRgLdMZtpj:UrjbkJ9xk++fiocoUlDnnRvOmg9g5ML5
Malware Config
Signatures
-
Ardamax main executable 1 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\28463\FAHD.exe family_ardamax -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
74b80a2d154807e988ef4d9923c7641c.exeInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 74b80a2d154807e988ef4d9923c7641c.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 3 IoCs
Processes:
Install.exeten.exeFAHD.exepid process 1676 Install.exe 3496 ten.exe 1276 FAHD.exe -
Loads dropped DLL 4 IoCs
Processes:
Install.exeFAHD.exepid process 1676 Install.exe 1276 FAHD.exe 1276 FAHD.exe 1276 FAHD.exe -
Processes:
resource yara_rule behavioral2/memory/3496-29-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral2/memory/3496-28-0x0000000000400000-0x0000000000433000-memory.dmp upx C:\Windows\SysWOW64\ten.exe upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
FAHD.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FAHD Agent = "C:\\Windows\\SysWOW64\\28463\\FAHD.exe" FAHD.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 8 IoCs
Processes:
74b80a2d154807e988ef4d9923c7641c.exeInstall.exeFAHD.exedescription ioc process File created C:\Windows\SysWOW64\ten.exe 74b80a2d154807e988ef4d9923c7641c.exe File created C:\Windows\SysWOW64\28463\FAHD.001 Install.exe File created C:\Windows\SysWOW64\28463\FAHD.006 Install.exe File created C:\Windows\SysWOW64\28463\FAHD.007 Install.exe File created C:\Windows\SysWOW64\28463\FAHD.exe Install.exe File created C:\Windows\SysWOW64\28463\key.bin Install.exe File opened for modification C:\Windows\SysWOW64\28463 FAHD.exe File created C:\Windows\SysWOW64\Install.exe 74b80a2d154807e988ef4d9923c7641c.exe -
Drops file in Windows directory 1 IoCs
Processes:
ten.exedescription ioc process File created C:\Windows\ARFXZ.$$A ten.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 33 IoCs
Processes:
FAHD.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898} FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\HELPDIR FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0 FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\FLAGS\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\TypeLib\ FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\InprocServer32 FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\InprocServer32\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\ProgID\ = "SAPI.SpNullPhoneConverter.1" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0 FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\Version FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\VersionIndependentProgID\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\ProgID\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\ = "UPnP 1.0 Type Library (Device Host)" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\FLAGS FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\Version\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\VersionIndependentProgID\ = "SAPI.SpNullPhoneConverter" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\FLAGS\ = "0" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\HELPDIR\ = "%SystemRoot%\\SysWow64\\" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\TypeLib FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\Version\ = "5.4" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\HELPDIR\ FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\VersionIndependentProgID FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD} FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\ = "Omipiwla.Kapih" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0\win32 FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\upnpcont.exe" FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\TypeLib\ = "{5B5D2749-9F84-D3C3-37B8-3660E8509898}" FAHD.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\ProgID FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\ FAHD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0\win32\ FAHD.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
FAHD.exedescription pid process Token: 33 1276 FAHD.exe Token: SeIncBasePriorityPrivilege 1276 FAHD.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
FAHD.exepid process 1276 FAHD.exe 1276 FAHD.exe 1276 FAHD.exe 1276 FAHD.exe 1276 FAHD.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
74b80a2d154807e988ef4d9923c7641c.exeInstall.exedescription pid process target process PID 1596 wrote to memory of 1676 1596 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 1596 wrote to memory of 1676 1596 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 1596 wrote to memory of 1676 1596 74b80a2d154807e988ef4d9923c7641c.exe Install.exe PID 1596 wrote to memory of 3496 1596 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 1596 wrote to memory of 3496 1596 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 1596 wrote to memory of 3496 1596 74b80a2d154807e988ef4d9923c7641c.exe ten.exe PID 1676 wrote to memory of 1276 1676 Install.exe FAHD.exe PID 1676 wrote to memory of 1276 1676 Install.exe FAHD.exe PID 1676 wrote to memory of 1276 1676 Install.exe FAHD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\ten.exe"C:\Windows\system32\ten.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3496 -
C:\Windows\SysWOW64\Install.exe"C:\Windows\system32\Install.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\28463\FAHD.exe"C:\Windows\system32\28463\FAHD.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD54b8ed89120fe8ddc31ddba07bc15372b
SHA1181e7ac3d444656f50c1cd02a6832708253428e6
SHA2562ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93
SHA51249269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23
-
Filesize
470B
MD5aaddd93bb3db1717fe3b5dfcf18875a9
SHA17621645bfb8033d652903c1447884ffd380a8e4e
SHA256a1516ef8837625db18dc20cad3515689abbebbd94d0c16e21dc3aa30d051fe28
SHA512ce73f201b29507338ad75a1d7e5b82397afb0ebf266dc2771b6202ad4ffeeb0cfa5b017ba6868916b381bda1a45ef36925b261296c34a95b0fdea16f8998fab0
-
Filesize
8KB
MD5395bbef326fa5ad1216b23f5debf167b
SHA1aa4a7334b5a693b3f0d6f47b568e0d13a593d782
SHA2567c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1
SHA512dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679
-
Filesize
5KB
MD51b5e72f0ebd49cf146f9ae68d792ffe5
SHA11e90a69c12b9a849fbbac0670296b07331c1cf87
SHA2568f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e
SHA5126364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc
-
Filesize
649KB
MD52709fd329d26dbf992210e88d0ed2bb4
SHA16831506d36aa3c21f9a8c6826aeb6013186e6898
SHA256fa5c3022a4b14b130a035cfff276e3482f78ec23906bc5f0c46587317aff99a1
SHA512223d7ae105ce9d0ad38fc84c2c50f6e0aa4b16e3e126ace5e98b2cd0f389705134e4903ec8bc2d9302c5ec4dee0b2f605407c59e262d385b2b45ce80a15a7d00
-
Filesize
105B
MD527c90d4d9b049f4cd00f32ed1d2e5baf
SHA1338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae
-
Filesize
82KB
MD594be864f52c017301c4a5677ff4d1588
SHA1d1d356df73855d44ffac7ee5c5cc307735ec1a1f
SHA25655d54a0f058fc8c698f9cb8555a1ff4e28dc62c8bf57a8fc8d85bd148025d94c
SHA512fdcf532640ab17333987a35697d819d704a4e3dc47848d737cb17fe6c13bf5258faaca71c46ab8a251d34735900e815d9d31211c8eb22e19a27909fb10195706
-
Filesize
243KB
MD5b076e422cb28f37c5d29157b7b8aa96e
SHA10f8c637a89ca4d0258666bd8ca35915c5f188790
SHA256bbe943b4473c3c40efc385a17afcabd84d3ad8dea9a46c77e2a71c8910aff844
SHA51277f0da83de6fa920c9c44de3a589b23b2d520701a363d40ed79490fc68431e46e8607c41423781d774b7235e4fac02b287edbecb46cf12251a585090e7ca0854
-
Filesize
174KB
MD5c04ad59777b9f1d796d7463d27764582
SHA1bfe2c17f294e123a7ece9d82413309fa62c3194e
SHA25648f9fb1932465b5d3f5659d59ec606b2dd1114f9da8add0caf5d82a781fcc7f7
SHA512f6b272f105cef301bbfa6b27a8af99879d2c2c5a30a808bae1b71c70a0615938eea94479db8d2e992e893b68b0fd8fd2bda70c9056d721ae45f53516e120cefe
-
Filesize
92KB
MD5692eae85521e98c363fff6b7b48d6c39
SHA11aa2d68abe360be10dea980ec41b5321a2b0306a
SHA2560e23ac39b2daf7d5b238f72ad101c0dd202ba42d3c1bf29701c8ba1936bb0d7d
SHA51216a4b4c2e135c5bba779d0913e041e4599c460a56dd3782d608843ff767f8484fb15bc2c20664714b7b2d28ab940e60f1751e2e54e5eb2c2c1f1051fd05d47d3