ardamax | 764ce88df34adf060e0a41e97634498ebcc58b2570802328c08e8a505e56e9df

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/06/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe
Size

1.0MB
MD5

0121a89cb657a11e5dd092883bfd7825
SHA1

2dfe917bb76403eba25913d2ff8438ea86d0b4e2
SHA256

764ce88df34adf060e0a41e97634498ebcc58b2570802328c08e8a505e56e9df
SHA512

a74daabb75d13b45bb43553b8a7b496558d5e60a36af78b7dcfd8fd853954c8cad19fa86be909e28d8be06449aec525cee9549d6a7a17dd03ea1d81cd08255d9
SSDEEP

24576:OGS8+RJTCHNrwVXmYvDypdaGesDfJBvC5bZh6ZcoC5/5wHQeYv1:OGl+RiNrwjvD1UFBvmbZhycEu1

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023411-42.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	INSTALL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3484	INSTALL.EXE
1216	IDCC.exe

Loads dropped DLL 8 IoCs

pid	Process
3484	INSTALL.EXE
1216	IDCC.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
1216	IDCC.exe
1216	IDCC.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IDCC Agent = "C:\\Windows\\SysWOW64\\28463\\IDCC.exe"	IDCC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	IDCC.exe
File created	C:\Windows\SysWOW64\28463\IDCC.001	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\IDCC.006	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\IDCC.007	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\IDCC.exe	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\key.bin	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\AKV.exe	INSTALL.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\CINSTALL.EXE	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe
File created	C:\Windows\INSTALL.EXE	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe
File created	C:\Windows\CORKUT-LEIO-RESPONDO-APAGO_(14) (1).GIF	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe
File created	C:\Windows\ORKUT-LEIO-RESPONDO-APAGO_(14) (1).GIF	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603c163c57c4da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70100f3c57c4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000003abe144d943ced7ca30e009f2987b18474e9643c427ab453d0afbf3fbea1a84e000000000e800000000200002000000010481d8dffe3e999b4f6f0eca6ed815c0fedab225f8a06ef47d869a78d18e5cb20000000f7157db8ac54ca8888000bbef27e9072b0c40b05e1d97673cc9cbc279e76e300400000002867ddbed752c506cd96f8df206c26b8c264497e932f19b75980b8568cadd52c84c6454ddf1b08887a5b1533078d8d83179bb3b42a77653322844de1d4d991e8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425190037"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{670F6E07-304A-11EF-9519-CEC6030110C3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef86260000000002000000000010660000000100002000000060f216f20d923017207805ae42fcbbe4817c8942ddf9945ceeb08a26dbc9216e000000000e800000000200002000000009c4cc5df87170f7a62008cac982d9cae73618f2ead777194a524e8370155b2920000000f7a783fab01c77d84d64a6787866c87836d45cc8fbcd825fa4320571e366b66b40000000caac551e88dd75a38c0172c9a9a7c7a612769f7677526dc72e399599a04c54ce4f3d1b8a37c8ffe2c06325f1bb9af8a6998f08728d8b3dbaf06c64af20573d05	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\ProgID\ = "MsTscAx.MsTscAx.12"	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\0	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\TypeLib\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\Version\	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\FLAGS\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\VersionIndependentProgID\ = "MsTscAx.MsTscAx"	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\ = "Aceqdan.Examoke.Agowiwo Object"	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\ = "ScreenReaderHelper"	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\FLAGS\ = "0"	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\TypeLib\ = "{F59D8C67-E110-E79E-AC90-1851D91FEFEA}"	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\0\win64	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\0\win64\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\Srh.dll"	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\FLAGS	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\TypeLib	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\Version	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\Version\ = "1.0"	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\VersionIndependentProgID	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\Control	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\Control\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\ProgID\	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\Programmable	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\Programmable\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\0\	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\InprocServer32\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\MiscStatus\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\MiscStatus\ = "0"	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\ProgID	IDCC.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\InprocServer32	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\InprocServer32\ = "%systemroot%\\SysWow64\\mstscax.dll"	IDCC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\MiscStatus	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F59D8C67-E110-E79E-AC90-1851D91FEFEA}\1.0\	IDCC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1AEA6C9C-1266-4A12-04BD-0F1FE5816098}\VersionIndependentProgID\	IDCC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1216	IDCC.exe
Token: SeIncBasePriorityPrivilege	1216	IDCC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2964	iexplore.exe
2964	iexplore.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
1216	IDCC.exe
1216	IDCC.exe
1216	IDCC.exe
1216	IDCC.exe
1216	IDCC.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 3484	4488	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe	80
PID 4488 wrote to memory of 3484	4488	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe	80
PID 4488 wrote to memory of 3484	4488	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe	80
PID 4488 wrote to memory of 2964	4488	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe	81
PID 4488 wrote to memory of 2964	4488	0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe	81
PID 3484 wrote to memory of 1216	3484	INSTALL.EXE	82
PID 3484 wrote to memory of 1216	3484	INSTALL.EXE	82
PID 3484 wrote to memory of 1216	3484	INSTALL.EXE	82
PID 2964 wrote to memory of 2524	2964	iexplore.exe	83
PID 2964 wrote to memory of 2524	2964	iexplore.exe	83
PID 2964 wrote to memory of 2524	2964	iexplore.exe	83

C:\Users\Admin\AppData\Local\Temp\0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0121a89cb657a11e5dd092883bfd7825_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\INSTALL.EXE
  "C:\Windows\INSTALL.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\28463\IDCC.exe
    "C:\Windows\system32\28463\IDCC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1216
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\ORKUT-LEIO-RESPONDO-APAGO_(14) (1).GIF
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:17410 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@5091.tmp

Filesize
4KB

MD5
ccf39f70a662f70e7cae4cfc81255c44

SHA1
00177d41252c2a5322be8e54567a845217072e2c

SHA256
4c9cca81f2f2d91b636c0ec747e96821749788368c48981bf04accfeb5c2e5d0

SHA512
2cc006d3bd6af737f31707b457caaa267ee1361cfd0afab0be8b74be8587d02b20909962d138e137fe79252e0d112bd3be091a98ba50863520b5bbf21bb9501d

Download Submit
C:\Windows\INSTALL.EXE

Filesize
794KB

MD5
4755e50b28f834e70c9ae04bace9c331

SHA1
3c5fc2abfe131641174f1b54c0ee97e48e4eea2b

SHA256
bdacc150a93e38d8fb902cbb0a2a957c37c1d9d054035b34be4b5ec067ba2a9b

SHA512
7593b92c1f699e67f8916b2ec4ad8c9ada41e0b622bfe66414ad6059d6705c44fbfdb778e3092e2bb1ca5afacb97591e05327d85b5bd7d2a021cd7b838f8e9d9

Download Submit
C:\Windows\ORKUT-LEIO-RESPONDO-APAGO_(14) (1).GIF

Filesize
121KB

MD5
c842fb8964008fad924d507d3bdb8b40

SHA1
a15e755c7cf6eaf89c3f6364fd68a93e94456b5c

SHA256
275cf3d204fdb2d8c6a867254ce329b931abc296d8545608f23a04874dd1c045

SHA512
54414b769cac0ae0c08d3dd90cadc313a8c57185a24d7676454c9414e567d4cadad1da49bfe474a0cf3f2f7aeff6675ab6a1eafdd3cb84652dd34cbc1b5da048

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
828586f5f9fd7e6bd99401fe7cece954

SHA1
8eb70f4af2cec3c3dd3ec1491913369e99b7b874

SHA256
02b8379b1838ea70f7f17e0785aaaedb7c721d9b6e262577723bba9492748d0c

SHA512
16b64be59cf9ae403fb3b7e1fc8da98cb2a5db84aef0e352910172796ecf96dcf86a7e16afe78fa7e22b7b6948e8a1fa027da7161d5a0ad98e76175d764ed6a7

Download Submit
C:\Windows\SysWOW64\28463\IDCC.001

Filesize
510B

MD5
f0cc2368b05cab054a1f0ce9e1d90aee

SHA1
0529d79508f6f3ce9e2c46861af673a2bcfdd759

SHA256
4ac150ef1b986ae20b634e15e46181d50ac96f357710a32ccc6f8d34ca570f35

SHA512
29908a03c7f0b0498ff1270508d3d25ce4f257af329e9440619895139234fcd5cb432b7e499a73df6bee3aa04a9e221161d6f19743b63efdd963f3d0ef3f0edc

Download Submit
C:\Windows\SysWOW64\28463\IDCC.006

Filesize
8KB

MD5
69db8c925f2dd8136d956a086ed1ee41

SHA1
9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

SHA256
984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

SHA512
fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

Download Submit
C:\Windows\SysWOW64\28463\IDCC.007

Filesize
5KB

MD5
9e9da4c851850726c789bb4b94a41bb3

SHA1
1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

SHA256
94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

SHA512
4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

Download Submit
C:\Windows\SysWOW64\28463\IDCC.exe

Filesize
648KB

MD5
c5ca2c96edc99cf9edf0f861d784209a

SHA1
6cb654b3eb20c85224a4849c4cc30012cabbdbaa

SHA256
0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

SHA512
aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/1216-56-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-49-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1216-63-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-62-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-61-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-60-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-59-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-58-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-57-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-86-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1216-54-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/1216-53-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1216-52-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1216-51-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1216-50-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1216-55-0x0000000003210000-0x0000000003213000-memory.dmp

Filesize
12KB

Download
memory/1216-48-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1216-46-0x0000000000A00000-0x0000000000A5A000-memory.dmp

Filesize
360KB

Download
memory/1216-67-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/1216-66-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1216-65-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1216-45-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1216-82-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/1216-81-0x0000000000A00000-0x0000000000A5A000-memory.dmp

Filesize
360KB

Download
memory/1216-79-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4488-1-0x0000000002630000-0x0000000002720000-memory.dmp

Filesize
960KB

Download
memory/4488-36-0x0000000002630000-0x0000000002720000-memory.dmp

Filesize
960KB

Download
memory/4488-44-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download
memory/4488-0-0x0000000000400000-0x0000000000967000-memory.dmp

Filesize
5.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads