ardamax | a8bb9f536c4a1cfb918e09d9d952adeb0cfbf12cbc4f8e556777ff2a178b5a39

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Size

2.6MB
MD5

5c42bc330b56f93ea97a74d9c6e2766d
SHA1

2ad211165fb2470f3c72a4257566d83899b9a44b
SHA256

a8bb9f536c4a1cfb918e09d9d952adeb0cfbf12cbc4f8e556777ff2a178b5a39
SHA512

0713363b7e2668f259ab519d81bdacfbc8f789cafb542028ac5bcb23a848e0a649d5ae1d015506c245fb91811273b85f9ed5ec32616e3cfe4aeebcb3ce746557
SSDEEP

49152:2U9U3QYwXjj1LBdgswATOx1gsbATKLX+yTkU69ajy1feYTxSJuMudrb7uZ:2U9U30j1Fqzx1g8LdTr12f/TxSJUrb7i

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000175f7-26.dat	family_ardamax

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2732	QOTO.exe
1860	Toilet Umum1.exe

Loads dropped DLL 7 IoCs

pid	Process
2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
2732	QOTO.exe
2732	QOTO.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QOTO Agent = "C:\\Windows\\SysWOW64\\28463\\QOTO.exe"	QOTO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\QOTO.001	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\QOTO.006	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\QOTO.007	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\QOTO.exe	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\key.bin	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	QOTO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QOTO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Toilet Umum1.exe

Modifies registry class 59 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\0\win32\	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\FLAGS\	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\VersionIndependentProgID\ = "UmOutlookAddin.UmEvmCtrl"	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\InprocServer32\ThreadingModel = "both"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\Programmable\	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\0	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\xwreg.dll"	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\FLAGS	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\ = "DataCollectorSetCollection"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\HELPDIR\ = "%SystemRoot%\\SysWow64\\"	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\VersionIndependentProgID	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ADDINS\\UmOutlookAddin.dll"	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\Programmable	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\0\	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\0\win32	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\VersionIndependentProgID	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\LocalServer32	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\MiscStatus\ = "0"	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\ProgID	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\ProgID\	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\FLAGS\ = "0"	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\TypeLib\	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\TypeLib\ = "{1962B60F-126C-934E-168B-060A75CF4DA3}"	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\AppID = "{03837503-098b-11d8-9414-505054503030}"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\HELPDIR\	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\Version	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\ProgID	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\Version\ = "1.0"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\ProgID\ = "UmOutlookAddin.UmEvmCtrl.1"	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\xwreg.dll"	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\0\win64	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\HELPDIR	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\TypeLib	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\Control	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\VersionIndependentProgID\ = "PLA.DataCollectorSetCollection"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\0\win64\	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\VersionIndependentProgID\	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\TypeLib	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\MiscStatus	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\Version\	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\Version\ = "1.0"	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\ProgID\ = "PLA.DataCollectorSetCollection.1"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\InprocServer32\	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\MiscStatus\	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\InprocServer32	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}"	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\Version	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\ = "Icacec object"	QOTO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92956245-6AB6-449B-3F9E-A3E04FD0D181}\Control\	QOTO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9085986-F0A1-1C05-E238-C2FAC0F67CCE}\InprocServer32	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1962B60F-126C-934E-168B-060A75CF4DA3}\1.0\ = "PXWizardRegistration 1.0 Type Library"	QOTO.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe
1860	Toilet Umum1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1860	Toilet Umum1.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Token: 33	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
Token: SeDebugPrivilege	1860	Toilet Umum1.exe
Token: 33	2732	QOTO.exe
Token: SeIncBasePriorityPrivilege	2732	QOTO.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2732	QOTO.exe
2732	QOTO.exe
2732	QOTO.exe
2732	QOTO.exe
2732	QOTO.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 3040 wrote to memory of 2656	3040	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	31
PID 2656 wrote to memory of 2732	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	33
PID 2656 wrote to memory of 2732	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	33
PID 2656 wrote to memory of 2732	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	33
PID 2656 wrote to memory of 2732	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	33
PID 2656 wrote to memory of 1860	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	34
PID 2656 wrote to memory of 1860	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	34
PID 2656 wrote to memory of 1860	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	34
PID 2656 wrote to memory of 1860	2656	5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\5c42bc330b56f93ea97a74d9c6e2766d_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\28463\QOTO.exe
    "C:\Windows\system32\28463\QOTO.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2732
- - C:\Users\Admin\AppData\Local\Temp\Toilet Umum1.exe
    "C:\Users\Admin\AppData\Local\Temp\Toilet Umum1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
a5ab3dcc654580ab5f54ace4d5eb25d2

SHA1
04961a219a3e62731a26c05dcb15cc9281454470

SHA256
cedc0008a44c0a531bcb7793d92eb1a204e6f15511ae2b2e757e755d9c888e36

SHA512
0e835877cabcaa688b59786345a6eb48e53d36b4937f3c31c4eccce8d28cdcf263982bfe444119c600f1fcc847dc8955e77459ba01af699ff8e3af4e8dcea05f

Download Submit
C:\Windows\SysWOW64\28463\QOTO.001

Filesize
376B

MD5
1974456898022f43bf56992790426cff

SHA1
cb2b6c4b080852e427a613c5d77b6f8fd2849d8c

SHA256
c602b8ec4bb395151493c8d092e6fc7b923723cb84588c971d315d9fc64ac063

SHA512
b108490c48a546f9f8ff86878fd12bab45312376874fe6d3df57b513dcc29dd842bef06699ded948edd8dbd1e41b0db6b4e7ab3e610e08da922e069943491887

Download Submit
C:\Windows\SysWOW64\28463\QOTO.006

Filesize
8KB

MD5
a7d56ebb7d4df6da32fd0eb2cbb01c8d

SHA1
9649efa83dec688d20733e73706ab45469877dec

SHA256
e8f58299afe568e8f28c1775597b410eb2692c09f2113345a36d6940c623ad83

SHA512
52daef6e65ad7132a2fcd28b7d5580f18eba107cf86134db88137d70db86b9b8cc080fdc63c8cb3e5d381274624a885e707b3191bdcd53bd20845da62076cda6

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@E678.tmp

Filesize
4KB

MD5
2edeacb33f56af3ef5395d72e1ce1e7e

SHA1
452986cfb1d19ffee51dd827e620d3669133a2dd

SHA256
fb1b34f7019ce4cdb95b0a95744d69ba4843480ada1c5a13d694dc094d994441

SHA512
650cfcdcc848b05be816f224301e1f91293024767edb32cfc140b73030f33f6dd7311f25ea5b2716eaab891ba342c8e9429652f45497e9f3d9031f83bb996301

Download Submit
\Users\Admin\AppData\Local\Temp\Toilet Umum1.exe

Filesize
739KB

MD5
4fc941af29173ed0e8de807adbeded94

SHA1
aa9535f7d95bf95e1506c1b8611aea3fa4be3cf6

SHA256
c236a75cca17f4f304f2e71e6ae5032304df59e8e5115fe309a29a6b90c08e86

SHA512
d9a906bcf8ba5f0825bdba8fe4c5eb79dbbb37f62d22f358002d706a8b3be7af790d77043c4927fd032cb128092af1a6011df9a6f065e43663caaaea3a4ca77b

Download Submit
\Windows\SysWOW64\28463\QOTO.007

Filesize
5KB

MD5
33713b71361b69fff8125c8a4f327716

SHA1
cc7870a3671ea4ff0d3a04f7372e82d10e497ecb

SHA256
8cfcbace29a286d3bd1b42683ac7a4c384440d2cac16fc7b87c7135d59a526b9

SHA512
8b7f214122d368d66eda0ff1be54dc2c9b3d73d37e2e143d80b8c382758eeb2568d5a55ba1f1b3f1e1b8981d22708178f5f0e21b14d384dd2c214fe7569b3e4f

Download Submit
\Windows\SysWOW64\28463\QOTO.exe

Filesize
649KB

MD5
22c27e66d6fa15ec1230ab9544c03ed7

SHA1
048c618c233a90fdbb7acb64abcbeead5e6ef350

SHA256
1b383815dcf2f514bc75338def0c2e8770eeae23f3c00521b09aa2570cdc3772

SHA512
5d8a6bf322dc84226a5ea14824f209815d54bd7acef9feba0719b497e99d24935d0214022a21a3903b814809aa83e868a6db3683b681874c7d7f25f0aeada9ca

Download Submit
memory/1860-74-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1860-68-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2656-30-0x00000000037A0000-0x000000000387F000-memory.dmp

Filesize
892KB

Download
memory/2656-47-0x00000000021A0000-0x00000000022FA000-memory.dmp

Filesize
1.4MB

Download
memory/2656-3-0x00000000004B7000-0x00000000004B8000-memory.dmp

Filesize
4KB

Download
memory/2656-4-0x00000000021A0000-0x00000000022FA000-memory.dmp

Filesize
1.4MB

Download
memory/2656-2-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2656-15-0x00000000021A0000-0x00000000022FA000-memory.dmp

Filesize
1.4MB

Download
memory/2656-13-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2656-11-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2656-14-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2656-10-0x00000000021A0000-0x00000000022FA000-memory.dmp

Filesize
1.4MB

Download
memory/2656-51-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/2732-73-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2732-56-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2732-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2732-40-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2732-34-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2732-36-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3040-38-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/3040-1-0x00000000022B0000-0x0000000002580000-memory.dmp

Filesize
2.8MB

Download
memory/3040-50-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/3040-0-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download