Overview

overview

10

Static

static

3

Masturbaca...a2.exe

windows7-x64

10

Masturbaca...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2024 18:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MasturbacaoFeminina2.exe

  • Size

    3.2MB

  • MD5

    0ac08d19b395d553f50168235f7c7ed0

  • SHA1

    1a9b02b39fe52066db32e233b541f2b0db68cb23

  • SHA256

    4aa09fa0529beb0d2096a1aa86cf4111cfff56b479a4048e8dcd13b937c7c0c7

  • SHA512

    9a65bad63e1da4a8d6c2567eb71733b318cb68f0eebbe6a1ef3eb0cbbea50b63a1649a80d6e5253de17964a3e3a7150dca5faef01c171bd95aacb5f4a26b7d9a

  • SSDEEP

    98304:R57Up17aZGruoEinbe6xKpCxlronCUsvm:DweWuoDDKgxpoU

Score
10/10
ardamaxdiscoverykeyloggerlinkpdfpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MasturbacaoFeminina2.exe
    "C:\Users\Admin\AppData\Local\Temp\MasturbacaoFeminina2.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\ProgramData\CDDLSI\HIS.exe
      "C:\ProgramData\CDDLSI\HIS.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2672
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MasturbacaoFeminina.pdf"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\CDDLSI\HIS.00
    Filesize

    2KB

    MD5

    26d6bf276f84648747ea5b23fc8428bb

    SHA1

    c5ce10312cfa9ec2996fdd9fdd0f9e7bd78a29fd

    SHA256

    40f3ea70192c256d0f26467dae63edbc48b64feff0e08272ebd9cdf1bded9262

    SHA512

    e4850c2e11fd7ec838068f7d3938532898128b3dd840ac74752c94d68ae5dff99f221396211ba5a465750e6538e158293b7080da3c6951c214ecbeea534961e2

    Download Submit

  • C:\ProgramData\CDDLSI\HIS.exe
    Filesize

    2.3MB

    MD5

    84bd1dd4eabec5fe9b2911c461c5a883

    SHA1

    d9ca77eaba19d6f2656e0f3ac79ad1924eb7aea4

    SHA256

    479a4e8f6f4dfe58308e6816bf5de0f16bc47734d61a7bd0b8b68809f14db60b

    SHA512

    fac4f43f371ed34bb26b1e89054162febeee61052b1eb7e8ce9cfb7a8edc200c8a76a0948a0bea74354aa723446d76a494a908189eaef03430bc3a3ae0edbd2f

    Download Submit

  • C:\ProgramData\SDL\HIS.004
    Filesize

    509B

    MD5

    f06126facd1509938686ee0d1d978175

    SHA1

    143b7628fa08247cf3df23adec92fa5c27227932

    SHA256

    fc7761bb1f60b79001d2047ec5a3c9b8c1fbf992765986252a75e0418ba1efdf

    SHA512

    ca4de9cde22d24619e3c0bcf6a825889bfefd1aebd97f666788e52203457b9288277dd21f07412241d0780391b4259f3114ed90bb20321948a5967597f7f5e84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MasturbacaoFeminina.pdf
    Filesize

    793KB

    MD5

    026aa9f78e651c1f26626c5ea7038f10

    SHA1

    7cae80b0f4d8fd3e8acbb1d7e849d0b3c71bbeee

    SHA256

    ddd2528e349289ed7c3aedd73d1f79fcc5b7cf5e54eda793cb7b0c726c98f9d3

    SHA512

    bde39e87ed23bf4fb2d2a138a2e6bce3d8303323444fbf5aa3491a2604a29fb99f08b54b3122cc4d983480010b7e3945254d4ed2a6d3bacdb25083238b6145fd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    0e00496a18117aa8192dc9d4467440e1

    SHA1

    98a50b1f3bed789aa1e5251f472eb73b01d9a4db

    SHA256

    60fd6bddb7c10191fedac804df26c08c06dd7b0cef3cc8889868f0a774f888f5

    SHA512

    e4bf7e3495622b9c27071aa0a46a430d4e0d8238234d2c16e8ac50d2f14f97587d2002a0fcdc42b480be47d7be6774985b12f7b34ba2f83778600be5e9777977

    Download Submit

  • \ProgramData\CDDLSI\HIS.01
    Filesize

    80KB

    MD5

    0be24f7df280c4989c2e0095fa5295f1

    SHA1

    95a0e64f5e161835ccfe5e3b46416fc4e83b9e8b

    SHA256

    693644e3efa419806932a680601b8f037b314b0b957d3716838174a7958c49b6

    SHA512

    1f34a626ae87dbf0604523a6058e116a0eb743e00a58e5be8d69375c1567f61029f91f4bba4b5293b0abfc7300862deb13fa047108648c8a3fd812802fe49c88

    Download Submit

  • memory/2672-17-0x0000000002180000-0x0000000002199000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2672-18-0x0000000000400000-0x0000000000684000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2672-22-0x0000000000400000-0x0000000000684000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2672-14-0x0000000000402000-0x0000000000403000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2672-50-0x0000000000400000-0x0000000000684000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3024-2-0x0000000001010000-0x000000000133F000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/3024-21-0x0000000001010000-0x000000000133F000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/3024-20-0x0000000000390000-0x00000000003A9000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3024-0-0x0000000001011000-0x0000000001012000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3024-1-0x0000000001010000-0x000000000133F000-memory.dmp

    Filesize

    3.2MB

    Download