Overview

overview

10

Static

static

3

da2ae7a0e2...99.exe

windows7-x64

10

da2ae7a0e2...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2024, 23:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da2ae7a0e21b636880262689a2781499.exe

  • Size

    1.3MB

  • MD5

    da2ae7a0e21b636880262689a2781499

  • SHA1

    36c0c56cd1d1a185b4dfbff21ca4ee65346baf71

  • SHA256

    28ba319bfdaaac8d64bc728aceb4ddbb0c0c5fc35c55557d41d6bbabe2fb5940

  • SHA512

    fcee43a8a959072daf9edb07ba63062953d8e6ec70c7c8aea1a4e047b1818a549d71d8350726b18ee00a441f217a2f5e22c953541dd9d2311266e10afda6fa72

  • SSDEEP

    24576:jzwTT62d6pGJCqiWX12ZamllupwS8GCZAQvGOOirxDVLBOg01wX35p8D6okDqtoG:jz+Ttd6pGxeambuOpGulOlir9OgNXgOT

Score
10/10
ardamaxkeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da2ae7a0e21b636880262689a2781499.exe
    "C:\Users\Admin\AppData\Local\Temp\da2ae7a0e21b636880262689a2781499.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\GECNDL\TTC.exe
      "C:\Windows\system32\GECNDL\TTC.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:4920
    • C:\Users\Admin\AppData\Local\Temp\notepad.exe
      "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\regsvr32.exe
        regsvr32 MSCOMCTL.OCX /s
        3⤵
          PID:4220
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32 TABCTL32.OCX /s
          3⤵
            PID:2564
          • C:\Windows\SysWOW64\regsvr32.exe
            regsvr32 MSINET.OCX /s
            3⤵
              PID:1044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IGS2C121\httpErrorPagesScripts[1]
          Filesize

          11KB

          MD5

          9234071287e637f85d721463c488704c

          SHA1

          cca09b1e0fba38ba29d3972ed8dcecefdef8c152

          SHA256

          65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

          SHA512

          87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUFWLFGT\NewErrorPageTemplate[2]
          Filesize

          1KB

          MD5

          dfeabde84792228093a5a270352395b6

          SHA1

          e41258c9576721025926326f76063c2305586f76

          SHA256

          77b138ab5d0a90ff04648c26addd5e414cc178165e3b54a4cb3739da0f58e075

          SHA512

          e256f603e67335151bb709294749794e2e3085f4063c623461a0b3decbcca8e620807b707ec9bcbe36dcd7d639c55753da0495be85b4ae5fb6bfc52ab4b284fd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUFWLFGT\dnserrordiagoff[1]
          Filesize

          1KB

          MD5

          7e81a79f38695e467a49ee41dd24146d

          SHA1

          035e110c36bf3072525b05394f73d1ba54d0d316

          SHA256

          a705d1e0916a79b0d6e60c41a9ce301ed95b3fc00e927f940ab27061c208a536

          SHA512

          53c5f2f2b9ad8b555f9ae6644941cf2016108e803ea6ab2c7418e31e66874dea5a2bc04be0fa9766e7206617879520e730e9e3e0de136bae886c2e786082d622

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUFWLFGT\errorPageStrings[1]
          Filesize

          4KB

          MD5

          d65ec06f21c379c87040b83cc1abac6b

          SHA1

          208d0a0bb775661758394be7e4afb18357e46c8b

          SHA256

          a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

          SHA512

          8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\notepad.exe
          Filesize

          656KB

          MD5

          6a7ddb1d5cf3882a13d8565d67da8c54

          SHA1

          051aa5802be3074204b0c5e7db210c75389b66ea

          SHA256

          78fe3a439605dedcb581c19c9aa4bc31060e9886d22ead41f72365850b51679d

          SHA512

          43ba28f50061122f163c7a5ad143056efe4857bcfbb8c80f94db286fb7a7e1756c53ba8325454375294da1c6cfb3540f86156fec8d3baf389cc0b068e2f68bf2

          Download Submit

        • C:\Windows\SysWOW64\GECNDL\AKV.exe
          Filesize

          485KB

          MD5

          42150775d201a85ebc379d21aa253f85

          SHA1

          fccd7df34e16abaf8d55935016cdb15df8041e06

          SHA256

          00206ccef9ee8da111cc547c698b7e61736b328de48ac5c307d05f2921ef0b9c

          SHA512

          4ff3c587a8d88e319acb028829c75ecb3e11c16a62ba9c2090720613c51c6555af698ba8ff75672b405602f196ed1b99dbeb9395bae62aac2140fa31600b36e0

          Download Submit

        • C:\Windows\SysWOW64\GECNDL\TTC.001
          Filesize

          61KB

          MD5

          9681d3e1f2c53ad98b8467b3acca33fc

          SHA1

          04d5d08781f27d6e08ad0262f7325b2be4db7743

          SHA256

          baecddca15ea6932b9cd4e7f5bae848c3c290660a85c408b898150c6f8fd744e

          SHA512

          5c6191fb676ace9d1c2ddfd4e98651959ab24b718ab626c343e2bb271d31edd8ba43ed9de528c7832ddcc2137d2424c22bb19f115dc252e1400cfcd3edce2098

          Download Submit

        • C:\Windows\SysWOW64\GECNDL\TTC.002
          Filesize

          44KB

          MD5

          e65e4bdb2c86226589b88f101153c01b

          SHA1

          731be43621721dba20f0bb74966ea08043ef37fd

          SHA256

          e8a9477bc04824357c0f0bcc1cb665e1dfb6cf5c05f68517749f6cb11821cec2

          SHA512

          7700ee197f109a8f2cff2e529715e371e36c1d9924af0bedef9285f76898d3448847af3bff342813b9bd8ca619b7c39b9607150596008ffc6fe68b338f6769cd

          Download Submit

        • C:\Windows\SysWOW64\GECNDL\TTC.004
          Filesize

          1KB

          MD5

          0d01cf6bbafe246c04889c30dd4b5fbb

          SHA1

          cf5c25e0acf726c7c71c54f0ca7333530e4f612b

          SHA256

          0f1e6a2598b47c98011dcc0ef4fcb52814342d24ed9cfeaa5df57f606e3a281a

          SHA512

          a0d0ddb41218f314fb289b5b154fccfc864063f147e294136f83a6f619d8b8b262473e74702371e1c859091cf2c5bd553141b46f14d90bfb6f606ca3f8a2f95e

          Download Submit

        • C:\Windows\SysWOW64\GECNDL\TTC.exe
          Filesize

          1.7MB

          MD5

          9a6a50772539f5a61fefa29c34666223

          SHA1

          b2b8650d817ef7d86bfef48420e9716f0ffdccce

          SHA256

          93db12799d366bbb10f28b923188e3f1457b3ec931ddf33ddeb131a80e46f00b

          SHA512

          eb5f89e6b27981d85dc235edc477a4397d08b9e89d638b0e07301a26ca6e640f12251fdcfe1386df4167a2928bc60959289329531bc7a9e14a232ead22935fed

          Download Submit

        • memory/4920-28-0x0000000000610000-0x0000000000611000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4920-65-0x0000000000610000-0x0000000000611000-memory.dmp

          Filesize

          4KB

          Download