ardamax | deb3c96f35d1086acc57bec87f55102b06f5bea1e99addb9f57a37d3360b9487

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
Size

1.0MB
MD5

e4dcae88f6d374adf13a9af6e11aea7e
SHA1

f5c1921bc03b295025ee2cb793e14991c5c51026
SHA256

deb3c96f35d1086acc57bec87f55102b06f5bea1e99addb9f57a37d3360b9487
SHA512

47bb220fb25052d5a3c51dce5aec29771efac32d4b59028824fb6d85a4fa0504bd8029437133101571ed5e9a5e6f2d1db1202d53bf9b2bb88c93436686ec7ee4
SSDEEP

24576:1LcIAe9NR0OPCwkiquic2aNJCKH0GKcK5J7o:GIFF034qLy3znKh5K

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023473-54.dat	family_ardamax

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}\stubpath = "C:\\Windows\\userinit.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}\stubpath = "C:\\Windows\\userinit.exe"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002348d-203.dat	acprotect

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	inst_server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	rinst.exe

Executes dropped EXE 10 IoCs

pid	Process
3352	Patch.exe
1936	Install.exe
1988	server.exe
1348	userinit.exe
408	FMJA.exe
824	inst_server.exe
3552	rinst.exe
4488	server.exe
2440	svchots.exe
3448	userinit.exe

Loads dropped DLL 37 IoCs

pid	Process
1936	Install.exe
408	FMJA.exe
824	inst_server.exe
408	FMJA.exe
408	FMJA.exe
824	inst_server.exe
824	inst_server.exe
1988	server.exe
1988	server.exe
1988	server.exe
3552	rinst.exe
3552	rinst.exe
3552	rinst.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
408	FMJA.exe
408	FMJA.exe
4488	server.exe
4488	server.exe
4488	server.exe
4488	server.exe
4488	server.exe
824	inst_server.exe
824	inst_server.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
3280	svchost.exe
3280	svchost.exe
3280	svchost.exe
3280	svchost.exe
3280	svchost.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002346b-23.dat	upx
behavioral2/memory/1988-36-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/1348-47-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/1988-91-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/4488-125-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/3448-130-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/4488-153-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/3448-161-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/1348-196-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/1348-205-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/3448-217-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral2/memory/3448-242-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FMJA Agent = "C:\\Windows\\SysWOW64\\YOF\\FMJA.exe"	FMJA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchots = "C:\\Windows\\SysWOW64\\svchots.exe"	svchots.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchots.exe	rinst.exe
File created	C:\Windows\SysWOW64\svchotshk.dll	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File created	C:\Windows\SysWOW64\YOF\FMJA.006	Install.exe
File created	C:\Windows\SysWOW64\YOF\FMJA.007	Install.exe
File created	C:\Windows\SysWOW64\YOF\FMJA.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\YOF	FMJA.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	svchots.exe
File created	C:\Windows\SysWOW64\YOF\FMJA.001	Install.exe
File created	C:\Windows\SysWOW64\YOF\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\auiwp.kfs	svchost.exe
File created	C:\Windows\userinit.exe	server.exe
File created	C:\Windows\userinit.exe	server.exe
File created	C:\Windows\userinit.dll	userinit.exe
File created	C:\Windows\userinit.dll	userinit.exe
File opened for modification	C:\Windows\auiwp.kfs	svchost.exe
File created	C:\Windows\msklm.bat	server.exe
File opened for modification	C:\Windows\userinit.exe	userinit.exe
File created	C:\Windows\msklm.bat	server.exe
File opened for modification	C:\Windows\userinit.dll	userinit.exe
File created	C:\Windows\Install.exe	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	server.exe
File opened for modification	C:\Windows\userinit.exe	userinit.exe
File opened for modification	C:\Windows\userinit.exe	server.exe
File opened for modification	C:\Windows\userinit.dll	userinit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst_server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMJA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchots.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3552	rinst.exe
3552	rinst.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1800	svchost.exe
3280	svchost.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2440	svchots.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1988	server.exe
Token: SeSecurityPrivilege	1988	server.exe
Token: SeTakeOwnershipPrivilege	1988	server.exe
Token: SeLoadDriverPrivilege	1988	server.exe
Token: SeSystemProfilePrivilege	1988	server.exe
Token: SeSystemtimePrivilege	1988	server.exe
Token: SeProfSingleProcessPrivilege	1988	server.exe
Token: SeIncBasePriorityPrivilege	1988	server.exe
Token: SeCreatePagefilePrivilege	1988	server.exe
Token: SeBackupPrivilege	1988	server.exe
Token: SeRestorePrivilege	1988	server.exe
Token: SeShutdownPrivilege	1988	server.exe
Token: SeDebugPrivilege	1988	server.exe
Token: SeSystemEnvironmentPrivilege	1988	server.exe
Token: SeRemoteShutdownPrivilege	1988	server.exe
Token: SeUndockPrivilege	1988	server.exe
Token: SeManageVolumePrivilege	1988	server.exe
Token: 33	1988	server.exe
Token: 34	1988	server.exe
Token: 35	1988	server.exe
Token: 36	1988	server.exe
Token: SeIncreaseQuotaPrivilege	1348	userinit.exe
Token: SeSecurityPrivilege	1348	userinit.exe
Token: SeTakeOwnershipPrivilege	1348	userinit.exe
Token: SeLoadDriverPrivilege	1348	userinit.exe
Token: SeSystemProfilePrivilege	1348	userinit.exe
Token: SeSystemtimePrivilege	1348	userinit.exe
Token: SeProfSingleProcessPrivilege	1348	userinit.exe
Token: SeIncBasePriorityPrivilege	1348	userinit.exe
Token: SeCreatePagefilePrivilege	1348	userinit.exe
Token: SeBackupPrivilege	1348	userinit.exe
Token: SeRestorePrivilege	1348	userinit.exe
Token: SeShutdownPrivilege	1348	userinit.exe
Token: SeDebugPrivilege	1348	userinit.exe
Token: SeSystemEnvironmentPrivilege	1348	userinit.exe
Token: SeRemoteShutdownPrivilege	1348	userinit.exe
Token: SeUndockPrivilege	1348	userinit.exe
Token: SeManageVolumePrivilege	1348	userinit.exe
Token: 33	1348	userinit.exe
Token: 34	1348	userinit.exe
Token: 35	1348	userinit.exe
Token: 36	1348	userinit.exe
Token: 33	408	FMJA.exe
Token: SeIncBasePriorityPrivilege	408	FMJA.exe
Token: SeIncreaseQuotaPrivilege	4488	server.exe
Token: SeSecurityPrivilege	4488	server.exe
Token: SeTakeOwnershipPrivilege	4488	server.exe
Token: SeLoadDriverPrivilege	4488	server.exe
Token: SeSystemProfilePrivilege	4488	server.exe
Token: SeSystemtimePrivilege	4488	server.exe
Token: SeProfSingleProcessPrivilege	4488	server.exe
Token: SeIncBasePriorityPrivilege	4488	server.exe
Token: SeCreatePagefilePrivilege	4488	server.exe
Token: SeBackupPrivilege	4488	server.exe
Token: SeRestorePrivilege	4488	server.exe
Token: SeShutdownPrivilege	4488	server.exe
Token: SeDebugPrivilege	4488	server.exe
Token: SeSystemEnvironmentPrivilege	4488	server.exe
Token: SeRemoteShutdownPrivilege	4488	server.exe
Token: SeUndockPrivilege	4488	server.exe
Token: SeManageVolumePrivilege	4488	server.exe
Token: 33	4488	server.exe
Token: 34	4488	server.exe
Token: 35	4488	server.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2440	svchots.exe
2440	svchots.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
408	FMJA.exe
408	FMJA.exe
408	FMJA.exe
408	FMJA.exe
408	FMJA.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe
2440	svchots.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3352	220	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	82
PID 220 wrote to memory of 3352	220	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	82
PID 220 wrote to memory of 1936	220	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	83
PID 220 wrote to memory of 1936	220	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	83
PID 220 wrote to memory of 1936	220	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	83
PID 220 wrote to memory of 1988	220	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	84
PID 220 wrote to memory of 1988	220	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	84
PID 220 wrote to memory of 1988	220	e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe	84
PID 1988 wrote to memory of 1348	1988	server.exe	85
PID 1988 wrote to memory of 1348	1988	server.exe	85
PID 1988 wrote to memory of 1348	1988	server.exe	85
PID 1936 wrote to memory of 408	1936	Install.exe	86
PID 1936 wrote to memory of 408	1936	Install.exe	86
PID 1936 wrote to memory of 408	1936	Install.exe	86
PID 1936 wrote to memory of 824	1936	Install.exe	87
PID 1936 wrote to memory of 824	1936	Install.exe	87
PID 1936 wrote to memory of 824	1936	Install.exe	87
PID 1988 wrote to memory of 3496	1988	server.exe	88
PID 1988 wrote to memory of 3496	1988	server.exe	88
PID 1988 wrote to memory of 3496	1988	server.exe	88
PID 824 wrote to memory of 3552	824	inst_server.exe	90
PID 824 wrote to memory of 3552	824	inst_server.exe	90
PID 824 wrote to memory of 3552	824	inst_server.exe	90
PID 3552 wrote to memory of 4488	3552	rinst.exe	91
PID 3552 wrote to memory of 4488	3552	rinst.exe	91
PID 3552 wrote to memory of 4488	3552	rinst.exe	91
PID 3552 wrote to memory of 2440	3552	rinst.exe	92
PID 3552 wrote to memory of 2440	3552	rinst.exe	92
PID 3552 wrote to memory of 2440	3552	rinst.exe	92
PID 4488 wrote to memory of 3448	4488	server.exe	93
PID 4488 wrote to memory of 3448	4488	server.exe	93
PID 4488 wrote to memory of 3448	4488	server.exe	93
PID 4488 wrote to memory of 3620	4488	server.exe	95
PID 4488 wrote to memory of 3620	4488	server.exe	95
PID 4488 wrote to memory of 3620	4488	server.exe	95
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105
PID 1348 wrote to memory of 1800	1348	userinit.exe	105

C:\Users\Admin\AppData\Local\Temp\e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4dcae88f6d374adf13a9af6e11aea7e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\Patch.exe
  "C:\Users\Admin\AppData\Local\Temp\Patch.exe"
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\Install.exe
  "C:\Windows\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\YOF\FMJA.exe
    "C:\Windows\system32\YOF\FMJA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:408
- - C:\Users\Admin\AppData\Local\Temp\inst_server.exe
    "C:\Users\Admin\AppData\Local\Temp\inst_server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\server.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\userinit.exe
        
        C:\Windows\userinit.exe c
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\msklm.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
    - - C:\Windows\SysWOW64\svchots.exe
        
        C:\Windows\system32\svchots.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2440
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\userinit.exe
    C:\Windows\userinit.exe c
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\msklm.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@6D02.tmp

Filesize
4KB

MD5
0850d0451f7b387627be1d8448d4e8cc

SHA1
f7f346dbb9399a5f3c1e783c66bc82b7110d6f32

SHA256
d0f4b9b1c98c68a583e99af328f25220072bf99350407f4d8168cc15714ed9e1

SHA512
bb403196ff80b8971486d4a71246de4d4e4b1bbea4505940574ce2d375bc1d55a5ba7606bba9d4b726ad3ef3fe89a1ed377d6d984f2f08fa1f938694fb2f6535

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patch.exe

Filesize
54KB

MD5
471d59c822d102d40f202b70a5c4a88a

SHA1
2f1d83a7dd442ed8b2c843725507e1fa4055c3eb

SHA256
1f2ec34e911c574f36f0093127c05454e5ccba538d7227f59784c3ec5a60bbda

SHA512
249b82ef70258adbce12ee74b1155af9e468cad8c0b2f414bb2bbeefc0bf6c3261a7e11229e53f54bf091f84344780aa5df41c2dc89a926dc991a194c904cbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

Filesize
1KB

MD5
c363636be734a8e6b81c677a43e25f85

SHA1
1103c7de9e96847abeacc2bade802e9420153a86

SHA256
c9e577f71b090bf5c400bb7161442ce61fd4feaa993fce90ba57e6410e16e0c3

SHA512
aae9d484e55355af205c20f0ec367b7b15f1c438b6ac6b23eea9b641e09ae4f12049666abc4e44912030203e0ef4ff8703620e7433a9b85f6832a109defe2191

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

Filesize
7KB

MD5
de4b1aa8153f7625d9d9ce970e2aa9e4

SHA1
5a95d08b9f566f0667f7d134c13ce49eb1e960f3

SHA256
032ee64576aa2b7af69f17cb908f72887377a9b6c4e816a2567e8dad359ed9fc

SHA512
f4c80a6071b20c139447469fd1f14381c1141016c0c407e385fcf3c752d031563c2d638fc14a2f61c1aa993c4c801d7e553878f75e3112939b99bf455508f9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchots.exe

Filesize
408KB

MD5
d34b4414ff28537909ae2da1e5c2484b

SHA1
6f510d70867d6c9743ea89ae2ae7363532bac2d8

SHA256
c607f59088d96111e1392d0af7a1adbda9ba175edc35fed19fb0722fa89c9442

SHA512
139c0daf7062762ef1dcf04532e0033d57b3f544353c6259925668d26341984ffb73dd1ca9c3ad593209e3b76edfc8256d29f9121cc52a3a4473eb52657db4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchotshk.dll

Filesize
21KB

MD5
31c7a09e3bf89c7ee0ebddad02a18996

SHA1
59fd23970715489ffe328f3856069d462c7f4b50

SHA256
b6305995ca0ddb381d0d954d51ea28bb44a91b0021376298958ac2f25f75261d

SHA512
a45adb99bb1dfa8a834435ed093216a49a7b72b64a5d5a86b221c8818634c292e4d1e22839b3ce158f2ddf8d123c9f2d43542078d4e00211c4fcc9f5ce406420

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst_server.exe

Filesize
371KB

MD5
2c7e89505ea8bcffcc601d35bbae583e

SHA1
bdbbd3a274bde9aa4bb995a3e618890c5ba05953

SHA256
899fa4e91717407e3737c9c0853d38199f0b1a04c6c3401a8a5c42bfb7665eac

SHA512
dc10e2ba0d6db1c77313190f53106d2dd9f907e710973ba4a4b71be63dba2fbd0c5fa15887baf4f665133d9d52bb4892312d2ce5f35a66a98a7143ea6dc732f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
107KB

MD5
afee591f51f907351fb48c1f16923c19

SHA1
8ced3c24f618646039642b9621c9dea88d3fe4c0

SHA256
6ab5b7503f8286885fe8697c8ca316c31bebfcfb94e43bb3e7a61e08817c383a

SHA512
eff8dd8ce91af7c660f33a1d129f4022362691716b872be12def5341b0ae0622078d0d7dd7371dce87c4acaa4f98ecd0b311ff4a51af6c85bedb922e95ca66a2

Download Submit
C:\Windows\Install.exe

Filesize
837KB

MD5
79b40035a61c124306673bf5695cf639

SHA1
91170fdad77be0c1af25c9d8cc76def138b9fc85

SHA256
2ff301091220da41799a5e84d2b49dee9ac177eb240ab7110526a65aa0ae9999

SHA512
2a93c9fce6d0c7760beec795ca60b7047411b498d47eb1d794bf969744c9a525e3d7352432342d8a4ccfcf3c2cc70dc369270ecc39747fcd5843d7ebf9886c4e

Download Submit
C:\Windows\SysWOW64\YOF\AKV.exe

Filesize
416KB

MD5
753eed6ba7bca7e1b625d352a5230f6d

SHA1
db4bf56b23cbbd41d7f95d5f06ea8b062ba4b3cd

SHA256
68d90fb1c165caa1c6c04d1dd9a29e81a83d52952d608c17284b7215aafcb859

SHA512
abf78a8018039cfc5e7dd6ec4f71bfa58ff16f15e8758a9ed04c026c941cef6da14ac057d955778a4190f1116b42088aef9c87634f94d5014db6a5401d64fc60

Download Submit
C:\Windows\SysWOW64\YOF\FMJA.001

Filesize
592B

MD5
c293a1b727fcd9bb1d7bf01188264818

SHA1
cbbe1e562f05cbb268f7ea133101e039a4b8b1ce

SHA256
1516b4f8e1451410bc2ddd71a9c52ccd09b2b3245b280e4538769ed88e53cd80

SHA512
06694c5a9c5d7d315145b71f53953b98503792f28be7e56a41561c5f791711ddc9382ab8a0739677c04f091b047469169221a97659f9f886a9991d4197bdf880

Download Submit
C:\Windows\SysWOW64\YOF\FMJA.006

Filesize
8KB

MD5
1acf05c81017fb2a272d9c10caeb67f9

SHA1
e782df7f04a0146cec392f2200379fc42a4a74ad

SHA256
fa5e1d9a2240a678a99a0a11b1d49d6c692bc3ef24a0a1f2cc8f85c1d4e5a894

SHA512
c64e5b9c43af483c551b2fd4e143517c79cdef5b4144258f8964695dae3d0e3689194f0be5500369b19d666d0a08b46e15662bc8f1c51e314eee8af54cccb1c3

Download Submit
C:\Windows\SysWOW64\YOF\FMJA.007

Filesize
5KB

MD5
1f154a8e3d92b44b66de52ea426c772d

SHA1
5cca6e4b88dafa2caae56ad98df6ca4bdabbd92f

SHA256
6e08d5b0986bd2f6a9f7a981a6d951b9e6b71616ec894a9a3b40a0c12ceb3b95

SHA512
06501a567500a05082d03818d33d49f3bf7afcdd5ea6e68ed37f09ed4fe6a945f2e86ce418a86a98d42d436d4b76ffaef2434642c8f2fb24f2f445797e5e8c55

Download Submit
C:\Windows\SysWOW64\YOF\FMJA.exe

Filesize
540KB

MD5
3fcec6436ceefe496759d5d95a72946d

SHA1
90741b60963323ccff6aacc4f9a4e947967f3c65

SHA256
e9f4f9a93da9c4977f330450aa485665789b5f0d422ede2e67237c64eb975434

SHA512
44c675bc06b036c64f364db3198db29a8affce246006f8d51cd8de45c131de575ded4d5e1aefeeccd8c82d52529a3b312379ea524b7e49d662249a61c71aab06

Download Submit
C:\Windows\SysWOW64\pk.bin

Filesize
7KB

MD5
37a153aac83ea151553eb1c5dc0498dd

SHA1
b6be1cb63f7663734783c6d42c82998d122a8546

SHA256
03468e3449671a0c4fcdaffffc052526251f5673a7d244434d0f6783bd503cbc

SHA512
a500a5d472be56f1797a62d52e1cd257df3ccce4cd0a515e9298fb3b7d1639be7d8ebb5db89a055969edd47799e366ef83c5ba2b5dc845f80cfe63a8ed970520

Download Submit
C:\Windows\SysWOW64\svchots.exe

Filesize
408KB

MD5
a635bc1492e4c39ef47ed617d3dfe491

SHA1
353ae5d543aee4bd2084798308a82361336b34fb

SHA256
cd06f57e2e2956c634f851eb92666e9e24557fffbfcd098686e3d7fe03d8ffed

SHA512
e152eaaebc4a6a48d32ed2382e048f171d35200d1654cfb241f57612b655e921b8645e700f011d3638fda4bbc7f50e90ebdc24398664a9e553540b15a006b226

Download Submit
C:\Windows\SysWOW64\svchotshk.dll

Filesize
21KB

MD5
a11068817ba83d7b8c61a5c53c5a72ab

SHA1
cf4685ae095d5b1e92062c9d299cf9d250b6bab2

SHA256
0ee6154256e55de7d451e729c590f5bbf65479503099c3dfeaa10deac6fe4901

SHA512
a5ef2ec37eaf688c1fa926349227d25de1c5568c5630e56f8e5e3104ae6ee45275de8599d33d164cd2fc7c5b5dd853433e4228ff553d83228ae3f925446e9bae

Download Submit
C:\Windows\msklm.bat

Filesize
128B

MD5
6767851b21a3718b2eb1538372657f62

SHA1
798cf2e3438da237ed516f165dfcf397097da4e9

SHA256
44478783a4588666ba9483a4866a8de674b62dbf819e8d233a74ea8e57ef16e0

SHA512
34328e4692a662b5aa738e8a271a842f21846cc6284783e94e372d426b4c78b279f3c461bc9b3864381ad132b324631730b15775fa2521dc8e80d2b584cc587f

Download Submit
C:\Windows\msklm.bat

Filesize
144B

MD5
f75adb0f4427bfb96cb8f23796e6f4f8

SHA1
13f7e5c71e305f4d2df7a3cd099444e4046d5923

SHA256
0a355fb980b261e73ac8db46424149249c2692274c90458881c74ecd8873e63c

SHA512
840a144fbbf473b19759582ae5d860fc59e2e9e11c49959fb944ea880f5c9b7a69185e0424375f56937695bef634dc8330def1743173e120538cae7fba2504c2

Download Submit
C:\Windows\userinit.dll

Filesize
86KB

MD5
a09140f561a314c3495d72c3cabd1e8e

SHA1
83062ea280438543a1408830fff5ff6f4a79b7d9

SHA256
8acba5512a804ed88d29eaa4ea11ba6c3cadf8e89abe6aaa3dfcbce3ef13d164

SHA512
ae4ee71ef81bdf79a0fe08a7f9d9b13b60c28132a49ab2cd593db59456e1c438876c9a1131950957bc4dade9c59964f11b0588735972a8148f582507f18bc877

Download Submit
memory/220-37-0x0000000000400000-0x000000000050A000-memory.dmp

Filesize
1.0MB

Download
memory/824-159-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1348-199-0x0000000010410000-0x000000001044C000-memory.dmp

Filesize
240KB

Download
memory/1348-174-0x0000000010410000-0x000000001044C000-memory.dmp

Filesize
240KB

Download
memory/1348-196-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1348-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1348-205-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1800-176-0x00000000017A0000-0x00000000017A1000-memory.dmp

Filesize
4KB

Download
memory/1800-175-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/1800-202-0x0000000003A20000-0x0000000003A21000-memory.dmp

Filesize
4KB

Download
memory/1988-36-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-91-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3352-51-0x000000001BD10000-0x000000001C1DE000-memory.dmp

Filesize
4.8MB

Download
memory/3352-70-0x000000001C420000-0x000000001C46C000-memory.dmp

Filesize
304KB

Download
memory/3352-38-0x00007FFA393F5000-0x00007FFA393F6000-memory.dmp

Filesize
4KB

Download
memory/3352-127-0x000000001E6A0000-0x000000001E702000-memory.dmp

Filesize
392KB

Download
memory/3352-155-0x00007FFA39140000-0x00007FFA39AE1000-memory.dmp

Filesize
9.6MB

Download
memory/3352-156-0x00007FFA39140000-0x00007FFA39AE1000-memory.dmp

Filesize
9.6MB

Download
memory/3352-45-0x00007FFA39140000-0x00007FFA39AE1000-memory.dmp

Filesize
9.6MB

Download
memory/3352-46-0x00007FFA39140000-0x00007FFA39AE1000-memory.dmp

Filesize
9.6MB

Download
memory/3352-66-0x0000000001030000-0x0000000001038000-memory.dmp

Filesize
32KB

Download
memory/3352-49-0x000000001B700000-0x000000001B7A6000-memory.dmp

Filesize
664KB

Download
memory/3352-76-0x000000001B7B0000-0x000000001B7D0000-memory.dmp

Filesize
128KB

Download
memory/3352-52-0x000000001C280000-0x000000001C31C000-memory.dmp

Filesize
624KB

Download
memory/3448-130-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3448-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3448-217-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3448-242-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-125-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download