Overview

overview

10

Static

static

3

e197565fc2...52.exe

windows7-x64

10

e197565fc2...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e197565fc2a70fac1551429794107952.exe

  • Size

    938KB

  • MD5

    e197565fc2a70fac1551429794107952

  • SHA1

    85c928cc0c75a7d7441ae2526d61a7137cacdb19

  • SHA256

    ea90d7eb7c94bcc2ded7b76a451fa70df84e678ec7a44e00b4153a3a1ff842c6

  • SHA512

    a0ad8c0e98c6bb77a7e95aa9cc2287a70d06dc8ac332f91e145e88904a6d9710dab1a27fd36494afd0916d16373f37757ba479467effac8a70b5a862c5120b3a

  • SSDEEP

    24576:VAaUTamPhbHqQbdwzcpJo4+7zy2pzOZQCsDUn:VArTbPhDRbHpJo4+1MdOW

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e197565fc2a70fac1551429794107952.exe
    "C:\Users\Admin\AppData\Local\Temp\e197565fc2a70fac1551429794107952.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:32
    • C:\Windows\SysWOW64\VCXNIM\GXB.exe
      "C:\Windows\system32\VCXNIM\GXB.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3040
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4236 --field-trial-handle=2700,i,14629483171127516024,12350888228055326066,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4760

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\VCXNIM\GXB.001
      Filesize

      60KB

      MD5

      62552c56e9c05aa1112bcf92efa946a2

      SHA1

      b5e08769e234723787587e1b3e781ee62e19b579

      SHA256

      5157138cdbf25cdcf3f085412c8be127199c253e425205a57386434a22ead3c6

      SHA512

      18a399b95baf162b0e34f7fa9b41a0d760958b5adf9d92a4b388794a70efd9a497255ef2cf3c25e794596898e4c7fea47088792d641fad0e65dceb1d6dab974f

      Download Submit

    • C:\Windows\SysWOW64\VCXNIM\GXB.002
      Filesize

      43KB

      MD5

      3a7c6b1d26ec2d9d7791acb049d59be9

      SHA1

      4b53f01e2ba102a26f17ff4e537ee6a83562618c

      SHA256

      784a603f8ee0550d5d694d8c384d6b70b6b4997c0840259f3483f295778627ea

      SHA512

      f42b42a66822e9e5975252fb7e65634a646e0397aef4e535b7e9d5d7cef9a8dcd651ebced08afd4b26cce58e4f810c18f6fc0c19530c7d0dcb2f57d07cec6ce6

      Download Submit

    • C:\Windows\SysWOW64\VCXNIM\GXB.004
      Filesize

      1KB

      MD5

      d83e340256ae9122b4d6934175f92e0a

      SHA1

      df3710db910114bb4aab23ad75b7459652438d32

      SHA256

      1afc77ae3bb5056cd2d8eb4e70a50597402ce94a8c3e964f9af0f208e84c4b7c

      SHA512

      bd1570b93fdfe89e0191cbc997cad2a2d6c7671b6f9c23aa979927d8ec5ba11c3498b320b3db691e71e4fead3f6b101e0e7aff066c03401f65cea05bbf5f6928

      Download Submit

    • C:\Windows\SysWOW64\VCXNIM\GXB.exe
      Filesize

      1.7MB

      MD5

      c6245ca8664ba4c0884e9c5dfb5a5ba9

      SHA1

      b10ec86db035936f2a610acd3594c2cfe414d44e

      SHA256

      be34a2223a8294779aa9dbf8fcbf1434c246756711ee259cfd99378d4f5c1049

      SHA512

      177b2935e6918fdd14ec8e59201e269955de6d65d18f36640356bc8942aae54ffaeffa222358edefcbf1e1a1f47798f50c0fb4217919c3b817bfd82bd0d98c14

      Download Submit

    • memory/3040-14-0x0000000000760000-0x0000000000761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3040-16-0x0000000000760000-0x0000000000761000-memory.dmp

      Filesize

      4KB

      Download