Analysis
-
max time kernel
146s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
04/07/2024, 08:55
General
-
Target
LH ULT.exe
-
Size
1.8MB
-
MD5
9370f3c5c9d3c39b2c1d9fc7be45ec43
-
SHA1
4640456dd0e891f0a3671147fb5e841b16132c9f
-
SHA256
59775e1d0a558fbeab5be94e59872dbd790ec9d71cd8df541bf5f385ee1cffb3
-
SHA512
bf375e5ecefa9a57c4630f7dbd39f98dab20e498f7e40d53389a3979559e31d669055190a92a9ccc3c27efc38ef4128369402959d83b50533f9758cc98f6f3bd
-
SSDEEP
24576:xOOc3veWFazdRci6TJo5UrDRB5Gu4zlIsjGZqVY0gc8p:0e6azduiWo5UrDHEnRjEqXYp
Score
10/10
Malware Config
Signatures
-
Ardamax
A keylogger first seen in 2013.
-
Ardamax main executable 1 IoCs
-
Disables RegEdit via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 30 IoCs
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 22 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\LH ULT.exe"C:\Users\Admin\AppData\Local\Temp\LH ULT.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im egui.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ekrn.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop "Panda anti-virus service"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Panda anti-virus service"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Panda anti-virus service"4⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ApVxdWin.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AVENGINE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im pavsrv51.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im psimreal.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PsImSvc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WebProxy.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcagent.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcdash.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mghtml.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcmnhdlr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcvsshld.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im McVSEscn.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcvsftsn.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f3⤵
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\Wyd Program.exe"C:\Users\Admin\AppData\Local\Temp\Wyd Program.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\28463\LPDW.exe"C:\Windows\system32\28463\LPDW.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Disables RegEdit via registry modification
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im egui.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ekrn.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net stop "Panda anti-virus service"2⤵
-
C:\Windows\SysWOW64\net.exenet stop "Panda anti-virus service"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Panda anti-virus service"4⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ApVxdWin.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AVENGINE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im pavsrv51.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im psimreal.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im PsImSvc.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WebProxy.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcagent.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcdash.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mghtml.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcmnhdlr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcvsshld.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im McVSEscn.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mcvsftsn.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f3⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f3⤵
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Temp\LH-ULT.exe"C:\Users\Admin\AppData\Local\Temp\LH-ULT.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 12⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 13⤵
- Modifies registry key
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\LH ULT.exe"1⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\LH ULT.exe"1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5c3679c3ff636d1a6b8c65323540da371
SHA1d184758721a426467b687bec2a4acc80fe44c6f8
SHA256d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb
SHA512494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7
-
Filesize
1.3MB
MD5ed28101b599887489e72ac28dc891004
SHA16a4f46e7e005480e158fd6677fc3d71d6e8b70e4
SHA256c713c5eec297bbdb4c9ca1ba3a70a8bb37117c55f34623b940ffef99c54a8b89
SHA512f19317c0a12ffac7ae423373cb131a0f4dfa027225ce6e5807ba37aeb780765b86603278b826c5fe7488eab4c5061ae0ff4e57c1af07b196d3ce306d3c55204c
-
Filesize
481KB
MD52dcaea385c0c2243f745ad1a82b57df2
SHA196ec8053d4bf9c0b2a908c04281ee431b0cb79cb
SHA256e3ce5e9fba31007ec3c5708564b9bf9cfb235175f1d9a5c357a7eb4631b92201
SHA512600c415f47b24fdd9af8e0c7226d80cb059967c1a54981f21324d59528b14a9739f060d2d2430ab0b183bda22be56baec62d66123af64bdd48c06edaa0d6fc5f
-
Filesize
395KB
MD5b8fa30233794772b8b76b4b1d91c7321
SHA10cf9561be2528944285e536f41d502be24c3aa87
SHA25614116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a
SHA51210ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d
-
Filesize
496B
MD516e638c938fe51d8add6181dad4a2a64
SHA1d115fe021da975acc2502a9246d6ebf3c7484ebd
SHA256d5918fb9f8eb1764e2027b53aedab4a3f2cf59b0b3b3dd149cec8a40ae173038
SHA51251ac60f8d4576f3082e4999a14216bb2f2f4b2e7f1539c3080ebe871cbb838a219c1f933cdfa637afc1ae9ec3daa7a2188a5572cae8991b50ed63a048e84725d
-
Filesize
8KB
MD543f02e9974b1477c1e6388882f233db0
SHA1f3e27b231193f8d5b2e1b09d05ae3a62795cf339
SHA2563c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba
SHA512e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f
-
Filesize
5KB
MD5b5a87d630436f958c6e1d82d15f98f96
SHA1d3ff5e92198d4df0f98a918071aca53550bf1cff
SHA256a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2
SHA512fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce
-
Filesize
473KB
MD517535dddecf8cb1efdba1f1952126547
SHA1a862a9a3eb6c201751be1038537522a5281ea6cb
SHA2561a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd
SHA512b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8
-
Filesize
592KB
-
Filesize
592KB
-
Filesize
592KB