ardamax | b40586092deaa8fa14ebb39802a20f2ebada997a075b75744274faa4a9735afe

Analysis

max time kernel
120s
max time network
134s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
Size

1.0MB
MD5

811cbc2f3c61d4bf7d009d00c15f1321
SHA1

775a085e2f4771ea67cd75a2b797dc6eedbdb32f
SHA256

b40586092deaa8fa14ebb39802a20f2ebada997a075b75744274faa4a9735afe
SHA512

4bfbeb25f004a4017a33d2b269893e2bea6ee718911dbc2a76ccb0784dffe16002cce8ce358d36f1bc98a44473a368bd31e01d339c83c07302f35526396ff80d
SSDEEP

24576:EesT97/AE/wkXmv/fnwFY9cx0uxGCYyXK/no/HW2xBBqJp9RpY:E3T9f/bKPyY9cRs9wO+B8JpRY

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000170f8-8.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1760	ETI.exe

Loads dropped DLL 4 IoCs

pid	Process
2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
1760	ETI.exe
2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
2884	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ETI Start = "C:\\Windows\\SysWOW64\\VDFILS\\ETI.exe"	ETI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\VDFILS\ETI.004	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VDFILS\ETI.001	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VDFILS\ETI.002	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VDFILS\AKV.exe	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\VDFILS\ETI.exe	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\VDFILS	ETI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ETI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000003a03bbca624049e7b942f447a605e8f261943a59d8ad7c0a885c6e4ff9d5f1fa000000000e800000000200002000000051f4096c5fced57988e26677c0466227bde7ce29de724c1355e66e18ddb87cc12000000099867bb33e2194b43c98cfef40424a51e54e57807bdf6cdc77ab0dd98ccaf95f40000000c8d6551e3c36b20d4646b01543b55ce20314f7e560c5b40ab7db7738a4001fa97e99e9b0ccf3c7587e501ea9d11173541060305a3d8f7c121f817991f257960d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80c32465392bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Web3.5 = "1730340313"	ETI.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{90553851-972C-11EF-B666-DEF96DC0BBD1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000c7177f54521d4efd21b2a8effb9c3d88d443154308cab1fa3f12d8ebd65c6488000000000e8000000002000020000000f6cc07bd703b633a8007a028f5f73317914b9d821204220952d738534d6e8c8f900000005887acdfe1445d714b8bcb29e33b59ae1cccb379680e8a6f50d2666a91069e6238dfc71d3a2890249644e7dfb1e7f69eaf409d6cbbb59353460bc217e158da1a38184182af588a2021ff6e535fb96e6d0d6a68e8857eed9d5e92cfd9c076fa12e1a6ff3c23f552de35acf0f7a7daec6165bf32263b8059d773edb68b42911fe15b860b9b8d6d0fb66899f45c9a8e72a440000000313da99948d6b56235cc9e9381142bb5f1a6c2551ccc030a17d1d7ed1bf8b4b411fb42e5549ee185139cd5f993108b3377a239c6eb5156cb8c942596e93d6537	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436502181"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1760	ETI.exe
Token: SeIncBasePriorityPrivilege	1760	ETI.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2152	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1760	ETI.exe
1760	ETI.exe
1760	ETI.exe
1760	ETI.exe
2152	iexplore.exe
2152	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1760	2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe	30
PID 2324 wrote to memory of 1760	2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe	30
PID 2324 wrote to memory of 1760	2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe	30
PID 2324 wrote to memory of 1760	2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe	30
PID 2324 wrote to memory of 2152	2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2152	2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2152	2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe	31
PID 2324 wrote to memory of 2152	2324	811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2884	2152	iexplore.exe	32
PID 2152 wrote to memory of 2884	2152	iexplore.exe	32
PID 2152 wrote to memory of 2884	2152	iexplore.exe	32
PID 2152 wrote to memory of 2884	2152	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\811cbc2f3c61d4bf7d009d00c15f1321_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\VDFILS\ETI.exe
  "C:\Windows\system32\VDFILS\ETI.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1760
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\playspan.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2152 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98d93c58d1ebf785683c69bc403c405e

SHA1
f5e4444e7249b81b21660ceeb7623ca04c1cb204

SHA256
dcafd5e7393a872df66130e0e4adf0abbac0de49e8ea008e236c470221d510e5

SHA512
7429be62ae3f706b1b8d0121812e5e6eee7b0fd52d53aedb47110f75fd22f99f25b06a96b3660fbc9d41cbdb99bca985bc7bafe8949268414171ab4c74048973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
714f90fad927d181854615fff045e960

SHA1
8e0d6464b64d795e5495980106d4dcc0d993918f

SHA256
a8254616b881b2e2276d6550607037d645e0b392dc1763710124df5c8a8c57b6

SHA512
2b47925da62e85c21c36e29f0e407a61fa4979d385dee7926ccebe962e503851961a091b31cefb94f7ea05f7a896a3494e969700ddd15a85c5afe4c9f3c44f31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4a46c8541dcb1a0882d36e71623157a

SHA1
5ff2bf7500d9f72a312f3ba6bdcd484b0bf550e5

SHA256
0e0877ea532fa60a69a890dccf2b8c20cab0c61443f4c232a18603c9764e6674

SHA512
70b188ec1412d928b29afcfe330a0502b210b6e48559aa4b1e72dec21a150fc9a040f138b16e881ec86f7b1d2801bf67844305704f0a1467a522c65e7bf3aa26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d30c2df509110d8527c63c4787e6dab8

SHA1
8f3c9cbb3efe30b987a7dc7159fff4d198ab0256

SHA256
b9db3cc50046e86a0dbf3e5bbdcb42000f1d4d9e0dce6899b4ca75f965e7d12a

SHA512
4aa09d0d10d3d2f047bef3a3862dda29352ca7d2e9f5de0dbfa194f83e8bb7c72c1250dcfea4c3109ca13ead95a2076cf4b35d5d75f5307ea82787c29e22f85d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eb36576116a94c17629bdf2684e98b6

SHA1
f845da83fe6f50e01687c1052ad9d2afff1567cb

SHA256
8d1b658278c94284c97435635d9d8ceb5756cba8727bad17b88b9d9dca390e11

SHA512
1498bb999833a65c96261471714cbf8995f63eb611829a1a69ab294eba450b28be08fea5c5628aadb40759b940d4da5fd8194a299a192bd459e1905d24695e5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62d11ab70a0ae1225e405ecfa7541658

SHA1
84abdf0a2d0f40588466d893b84201cb35d067d9

SHA256
1fb959c0b7c996dc21f3269b331702faece72635f8b94a6b7a2d0589c9efffbb

SHA512
c9335949662385a5bf13e9e0a61c022d20e07a9568cde860de8cbcdc860bf6ca07542c767e197a70bbd27c8f1886acdd50ab2281bdb256b5fcae27d9c1f9c119

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54d0c4c1e147b58639bc29904d0428c7

SHA1
3be9d56af0208482db6483b49fa20d1f3458ac1d

SHA256
e92996c5c685874186eec4a50e1860151ea901451ff44896d72a5bd040b80198

SHA512
4c3a3412c2c1bb95bcb5c1aa8c8917efc49f42775261ec2616a7ae1a9b120e5347faf8a4f809b66c2c1a91919ba2d596663eaa5e0008487e31032e003ce59c66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10da06bdd296c3e5c4b2ce7cc880390e

SHA1
6cd817155c7edd1138339319d500f6bfd7e629ba

SHA256
e96b0da3c4661a8f39d935e3860d6d15725f3a7ed496f5100bd78ca7d3007007

SHA512
55edf81f113cc8f8a0564b5356ba60d41df95ca193a6f224aad0b43a4ae36953394d6fecde188170056fa2b16a6eace28a51edea929e25225fe1aa5efa16692d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d439a9805363ae9fe1d43cd53884a36b

SHA1
6f6c1ad43b2ef5601d35c87ea5eaf19368b0410f

SHA256
c2b54f846100a717f4e0143812cb1d8650910ffab9be2e2876ec256e45a4ae46

SHA512
cfaeb269ca3df33164e8768972a2abd47b7d6dfd142b095bb09dfe9e1a9774cbba06a19204fff7a2cab28cfdc1154070a49a7b01f73b89f731810a2354a64eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beec1573b90afcfda5b2bf28ca0e9755

SHA1
0d7135c299e2ad0641e80ef8ee3e06600b352a71

SHA256
328cce17a6f5cdb29266bd95720d5798013f94a9bb5c56b6a38f294223334507

SHA512
e2cf00dd8df29ecf5ab06799b926648a8eaaa1bc576f332b178fc4a7c4525955c0384cdc730e7174c15d970238ee69745e7fda45d19f407262f141ee495da0ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fc230320449d058475f776dc21020dc

SHA1
af9ff9fa90af56b57c62fba32cdee7fe37470ee0

SHA256
9c382366cc946939667f576d50447560598c7201accb43bad9ad0c5d228bb4fd

SHA512
dfc84dc01d9cd354a758f9cc99f1614623847804cc01ec7fdbf4af6f6e6d6e4b4df94000482a2e24c8953c09d9514655358408b61886c096a64b54f2c7bc0c44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
065a088f0a572b4a7bd4475244a00ea1

SHA1
2c47699ce7eb3bbc462c40731e2d0bdd73eec992

SHA256
97368689f14d3c5e42ee7b7972a22a62cfbdf80c2ee55cdc71e45da64a190470

SHA512
8f6e83b3f72d7419626d7d941bb8cc310b2b2ca2cbf06944b91ed6f81d3c4fb0f5d0282ee3a330556cc57576924ad916dfcefa7fc74a57077e2059c0b0fd8b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
364cd602f3fff26a71d5fd731541b8f3

SHA1
4578ad68a7f5cdcea32967a9bdfb3fb4b472ce75

SHA256
e248d3542f1a60ddbfba889a17129d8a7a178b8a6b66c700b7f8cd6853d67ee6

SHA512
5581fc9a55c01ac5c9d4175a5bb98ca18f3d4108e42cf915e60a9949c1d5de8bb41ac5833640efeae0988d1a6bc6569f83f7840a21a3e4d3d47b8116b6ba339e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9031cc89e3c06b7ef6e8d986093d7d2a

SHA1
7a22a7ce89b5fee1c8d1a2034142f10bdf2ebc7e

SHA256
98c094a4f77fd07b7572119c8d073495575b21ae045ac1e2ac1fa2b2a547d29a

SHA512
83d6f1e68dd07440c4a03677a1609093359263bcb243680081fda8ad67a244302148f1e939a11590f4335784596d0328e4aea3fa3704c396d713982196473c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d9d3ecd8f8163ab75c4ce974b91e2a4

SHA1
0e969cc150008a1a88dc6b9bbfcdacde89e2393c

SHA256
6ad3f5ed82125d8e4ce594f2aa26fb8b4a2590f8a82d6e06aa4fec9e5862a727

SHA512
0cac2e7e6dfec2cca5c7b7b479609fdcf0378cf626b8d24e81808239976689adc05e871d8e8ed6a481020d8aa34b7ffdb3e8786b6840a9df405d07c095e2104a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a58b648144f08553973c2b95b12e6a47

SHA1
d6a8ad79277ce2905873397e195ca8e069f96e19

SHA256
64df156fdebfdb6f6595f34a5c4fb73b92501ab6cd7a564ba2b21a923f21d97c

SHA512
efe9b8cd8382a1c81401d51d5e937b0a926543a3bb83ff7edd625750289663976899c86d6c0981fde18285e95b7be82c0fd9ae01d0b10d78f1eec30257d251d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cca487dcee93e72e0845c2d30e9eb75

SHA1
3cb188dd48b60f9c7b15d3b04078e93a1f93255a

SHA256
7377135435dcc92eec8222ce7bee24a5ea42b7f1e2ed0f0f26181c5fdf321a55

SHA512
e059ef1df86c93ccf4cbd6271064cf87e0c73f355572c63c6073b53950a4fd2081697a011e97f9a0a40ca2fc2689fc8e16be7a3db8687a30a5dd842f29a0177b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF825.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8D6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\playspan.gif

Filesize
27KB

MD5
a728ee12275113e7b77a8378b90ce8ae

SHA1
db57240ff5808f63e9e177397666b856d1ec9464

SHA256
c8677d9ccafefaf06ba407de0c56748f318894a36ea7fe8ad1c5ffab6ae88723

SHA512
5498761864c90a172515fecff5ab529170a890197b330d2436fe33e739cadd4da49760f38403a60e5b4e777bf2f16d5281d9f0e68cd7a27e3a3a3616b8a08f63

Download Submit
C:\Windows\SysWOW64\VDFILS\AKV.exe

Filesize
498KB

MD5
51c1f8be2696047a60425cf4e8370eeb

SHA1
c565f5f7ca1eae6af9c7e7d07092031975ddf356

SHA256
900f9e42b5157d485000517997655dea2b5a36b249295e16a650ea38a8992de4

SHA512
a25712fa2ca973a3d73fc9fd59bd4c4734cb31f1683d0960e86fb0d1f078f011c8c9aebd85b6513f434c4e96cc8dd4367620a9b5c55112b586187ee2fed96c9a

Download Submit
C:\Windows\SysWOW64\VDFILS\ETI.002

Filesize
42KB

MD5
afa4b981d51f73aaa544fac1a7108ab3

SHA1
8dd9f0811c98175b1cf9d73893e03283e020ada2

SHA256
456ed6eae6b31494b782f8786d28f22a96f38abcc81e93cc9802dac6bb1b9238

SHA512
4e0234d692b5eb91cfe5f2f2926a0b0f49dc43510c695dd6bff78071c86dfad91cbcde3428d4965026fd980c1a353b221b0a3fa35d223d678ef82cfb9e0294e5

Download Submit
C:\Windows\SysWOW64\VDFILS\ETI.004

Filesize
502B

MD5
46abadb5eeed27330ace63144e5a180c

SHA1
8976e91b050aebcab3cb2b221e7b3251161590b9

SHA256
a770ee0b90f0e9cad9472cc41b3446ad20ea48b98bc54c4a3dc1276f2168bb26

SHA512
29cd3e9b0c440316ca9d498d089034a576af8d2e51fafb2c3bb339055583b0803987ea40cc8aa285745ff41ac364b46e523945d6d8556b4c148af2913f0bbe81

Download Submit
C:\Windows\SysWOW64\VDFILS\ETI.exe

Filesize
1.3MB

MD5
93e6298315cf566b520382d6c701dc62

SHA1
ab5ee9810535cfee6fb1f751d63cc5a0ed0e256e

SHA256
035a7419c78813bae698ee98db9f48302d4de0bd011ac573eb457f65268b702b

SHA512
1c37c580578964ea00a3fd193ba04ca81ed2e5cf3e74395e90994b3dd0e22d3c55fb640eb8138af81eef6d88af37459dcc6bb6bd035fc1aaa71476ba4634a8ee

Download Submit
\Windows\SysWOW64\VDFILS\ETI.001

Filesize
60KB

MD5
2bfb29b33b47a062d48c9ad462cc06c2

SHA1
1b39d2cb07740cfafe6809d30431952e2b7c2a5f

SHA256
f5b12e8464198b5c9cb2308e86942ef6d49ad0aeb844b47a385e90f0977d9001

SHA512
3521cca90074871f0e28706061e4a6ec8c0abca1c36ac73e860216be46df06c89ec8a5690677c4df0bf451ba2d2374351009a459101de459b71efa3889a043ee

Download Submit
memory/1760-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1760-288-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads