ardamax | 5b485d95496df9484d7b720c946628c19245661266015adf9f5bc316ed03944e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe
Size

1.6MB
MD5

6119aaacae08c12da8dc2500133c6f4e
SHA1

ed59675782a3eeeb7c5061f765eface680aae4ef
SHA256

5b485d95496df9484d7b720c946628c19245661266015adf9f5bc316ed03944e
SHA512

9b563a4edb6bd00f010bcbe621d0b777119020e409114ba159593085e17d889c84823a9f5f4f83c39fa28c6b575f2053b906bc0a01c304aa912823bfd2fce7a3
SSDEEP

24576:wZghjMh0f+CnyC/tmDJkO7bx+mJE86PIT5+k5BBl1J1SkriU2iuLngAwbuPK:+gh42mCnZbO7bI7IdLBliKangAwbz

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018bfc-34.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2312	Install.exe
2724	OPWG.exe
1764	DupeMuAwaY.exe

Loads dropped DLL 16 IoCs

pid	Process
2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe
2312	Install.exe
2312	Install.exe
2312	Install.exe
2312	Install.exe
2312	Install.exe
2312	Install.exe
2724	OPWG.exe
2724	OPWG.exe
2724	OPWG.exe
2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe
2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe
2724	OPWG.exe
1764	DupeMuAwaY.exe
2724	OPWG.exe
1764	DupeMuAwaY.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPWG Agent = "C:\\Windows\\SysWOW64\\28463\\OPWG.exe"	OPWG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	OPWG.exe
File created	C:\Windows\SysWOW64\28463\OPWG.001	Install.exe
File created	C:\Windows\SysWOW64\28463\OPWG.006	Install.exe
File created	C:\Windows\SysWOW64\28463\OPWG.007	Install.exe
File created	C:\Windows\SysWOW64\28463\OPWG.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 30 IoCs

evasion

pid	Process
2532	taskkill.exe
2592	taskkill.exe
2100	taskkill.exe
2552	taskkill.exe
2984	taskkill.exe
2432	taskkill.exe
2564	taskkill.exe
2672	taskkill.exe
2980	taskkill.exe
2372	taskkill.exe
896	taskkill.exe
2464	taskkill.exe
2760	taskkill.exe
1928	taskkill.exe
1312	taskkill.exe
1756	taskkill.exe
2880	taskkill.exe
2708	taskkill.exe
2404	taskkill.exe
828	taskkill.exe
2840	taskkill.exe
2548	taskkill.exe
2468	taskkill.exe
2456	taskkill.exe
1592	taskkill.exe
2572	taskkill.exe
2400	taskkill.exe
1120	taskkill.exe
2480	taskkill.exe
696	taskkill.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
3548	reg.exe
3568	reg.exe
2364	reg.exe
2108	reg.exe
2064	reg.exe
3272	reg.exe
3540	reg.exe
2284	reg.exe
2252	reg.exe
2244	reg.exe
2376	reg.exe
3576	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	828	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	896	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2468	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: 33	2724	OPWG.exe
Token: SeIncBasePriorityPrivilege	2724	OPWG.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe
1764	DupeMuAwaY.exe
2724	OPWG.exe
2724	OPWG.exe
2724	OPWG.exe
2724	OPWG.exe
2724	OPWG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2100	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2100	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2100	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2100	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	31
PID 2176 wrote to memory of 2840	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	32
PID 2176 wrote to memory of 2840	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	32
PID 2176 wrote to memory of 2840	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	32
PID 2176 wrote to memory of 2840	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	32
PID 2176 wrote to memory of 2696	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2696	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2696	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2696	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	33
PID 2176 wrote to memory of 2564	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	34
PID 2176 wrote to memory of 2564	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	34
PID 2176 wrote to memory of 2564	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	34
PID 2176 wrote to memory of 2564	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	34
PID 2176 wrote to memory of 2880	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	36
PID 2176 wrote to memory of 2880	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	36
PID 2176 wrote to memory of 2880	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	36
PID 2176 wrote to memory of 2880	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	36
PID 2176 wrote to memory of 2552	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	38
PID 2176 wrote to memory of 2552	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	38
PID 2176 wrote to memory of 2552	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	38
PID 2176 wrote to memory of 2552	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	38
PID 2176 wrote to memory of 2672	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	40
PID 2176 wrote to memory of 2672	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	40
PID 2176 wrote to memory of 2672	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	40
PID 2176 wrote to memory of 2672	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	40
PID 2176 wrote to memory of 2708	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	41
PID 2176 wrote to memory of 2708	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	41
PID 2176 wrote to memory of 2708	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	41
PID 2176 wrote to memory of 2708	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	41
PID 2176 wrote to memory of 2464	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	42
PID 2176 wrote to memory of 2464	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	42
PID 2176 wrote to memory of 2464	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	42
PID 2176 wrote to memory of 2464	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	42
PID 2176 wrote to memory of 2584	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	43
PID 2176 wrote to memory of 2584	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	43
PID 2176 wrote to memory of 2584	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	43
PID 2176 wrote to memory of 2584	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	43
PID 2176 wrote to memory of 2532	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	44
PID 2176 wrote to memory of 2532	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	44
PID 2176 wrote to memory of 2532	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	44
PID 2176 wrote to memory of 2532	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	44
PID 2176 wrote to memory of 2548	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	46
PID 2176 wrote to memory of 2548	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	46
PID 2176 wrote to memory of 2548	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	46
PID 2176 wrote to memory of 2548	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	46
PID 2176 wrote to memory of 2572	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	47
PID 2176 wrote to memory of 2572	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	47
PID 2176 wrote to memory of 2572	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	47
PID 2176 wrote to memory of 2572	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	47
PID 2176 wrote to memory of 2592	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	48
PID 2176 wrote to memory of 2592	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	48
PID 2176 wrote to memory of 2592	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	48
PID 2176 wrote to memory of 2592	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	48
PID 2176 wrote to memory of 2984	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	51
PID 2176 wrote to memory of 2984	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	51
PID 2176 wrote to memory of 2984	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	51
PID 2176 wrote to memory of 2984	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	51
PID 2176 wrote to memory of 2980	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	52
PID 2176 wrote to memory of 2980	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	52
PID 2176 wrote to memory of 2980	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	52
PID 2176 wrote to memory of 2980	2176	6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6119aaacae08c12da8dc2500133c6f4e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:2348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:2364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:2244
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2312
- - C:\Windows\SysWOW64\28463\OPWG.exe
    "C:\Windows\system32\28463\OPWG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:2768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:2064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:3548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:3540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:1584
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:3272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:3576
- C:\Users\Admin\AppData\Local\Temp\DupeMuAwaY.exe
  "C:\Users\Admin\AppData\Local\Temp\DupeMuAwaY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2084758449682740875-1904170986699406355-7336595071244697040-4128734391866802712"
1⤵
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
b0b09699ea39c0107af1c0833f07c054

SHA1
b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

SHA256
be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

SHA512
55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Download Submit
C:\Windows\SysWOW64\28463\OPWG.001

Filesize
528B

MD5
0cf722506f9b3b92de375dd71115c5ff

SHA1
c7781c3507a3b6e8b28f48eedf083b23d974aad3

SHA256
88bc17f4225af97fa59944deae318428237998f332ef54406b5cd36fef09537d

SHA512
b317b63f04123fc53932701cdba365c0a8380edd8ff6f5bba79da60e10c6eda54a7895efde311e7220aa9fd6d9c07bc1828cd25bfd1606eb8f2227e4760f38c9

Download Submit
C:\Windows\SysWOW64\28463\OPWG.006

Filesize
7KB

MD5
e0fcfa7cad88d1a8a462cee6b06cf668

SHA1
a7e49078517abc929a6da261df06556c8f5a8cf0

SHA256
340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

SHA512
430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

Download Submit
C:\Windows\SysWOW64\28463\OPWG.007

Filesize
5KB

MD5
ca72cd485d116033f1b776903ce7ee0a

SHA1
85b0b73a75b0498f56200dd1a5cf0de5371e42a3

SHA256
e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

SHA512
8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

Download Submit
C:\Windows\SysWOW64\28463\OPWG.exe

Filesize
472KB

MD5
7ca78f42e7c88f01fb7fd88321b283ff

SHA1
8f6fb4e3f5b696cac4fd54490d5f8c1862d0bb6b

SHA256
2354f408b272232ea4bb74d17d22a4332b97f1003fb9bace174a9811f2b41729

SHA512
06e822f04a4657b492a485b5a542e5c8400060abf7e71020d17965fee11f1f7c0807e32b5f9426a4fb9b4d7dd05a68ae871e5fef0807e24204351ebe569eb4ca

Download Submit
\Users\Admin\AppData\Local\Temp\@EAAD.tmp

Filesize
4KB

MD5
908f7f4b0cf93759447afca95cd84aa6

SHA1
d1903a49b211bcb4a460904019ee7441420aa961

SHA256
3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

SHA512
958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

Download Submit
\Users\Admin\AppData\Local\Temp\DupeMuAwaY.exe

Filesize
72KB

MD5
65af515a752fc159c5cbc424b99889dc

SHA1
daf1e0363008df36b040326116d93c06433c99a4

SHA256
488476029d16d4a2891e10bf8de91c70d4c6bc901cce8807f3fe58326dc3f328

SHA512
e2137ea0cbd321423dcd8c504996a367694a8bdbc39063cb49ee4a31a80ba1b830c2c3ad1b99e7f67ce2e9f09740c96e204ebe4b5fa896dff3e31757ee723f8b

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
478KB

MD5
ee131df0325ba0e536e14fab3c2af5b5

SHA1
a718f36b6bfac1d799402724ee661f9627043913

SHA256
fccb33818ba029225e1dc9c05ba01cedda4982c81e0e7c77297a6428b0e1c3ff

SHA512
b44935a0d60d74a5ba7f555c98dfc23b36c65220764ed52f1ba3c757a0c8f50716dd9021e9795edbbb02012e416843d319d059e1a7bc9ef25d112fba68c310f4

Download Submit
memory/2176-1-0x0000000001CD0000-0x0000000001D8C000-memory.dmp

Filesize
752KB

Download
memory/2176-4-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2176-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2176-53-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2176-52-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads