Overview

overview

10

Static

static

3

2024-11-18...ia.exe

windows7-x64

10

2024-11-18...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

  • Size

    10.4MB

  • MD5

    185c218239b46dff1b2b4642338f373e

  • SHA1

    77b794f16a8621b424355343bc5a4b04fd07f875

  • SHA256

    07eb94556da6da2c55e65b5fa7b48fd983c0b448c6ffa202d44c689d49ce6da8

  • SHA512

    77f579ea578865d9ab76378dc6207ee8e43647426c534616e7dff39c943d00f00ef306039d924ed45445850a68fd5bf1aa0c85d9c9ca95d0a1eb2bf2dc1955be

  • SSDEEP

    196608:1zS1+mVNY/EeryIqxQcZ77QxqJ8UhPo09VSY0P7JkwGIQW5zf:1zSLVaqx77UxS8cPFWY0P7JkwmWN

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" /i "C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi" CLIENTPROCESSID="2384" ADDLOCAL="MainFeature" SECONDSEQUENCE="1" CHAINERUIPROCESSID="2384Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files\Net2e\SilkroadR\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SilkroadR"
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      PID:1244
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE45E9.tmp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:904
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE45E9.tmp.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2428
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE45E9.tmp.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:848
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" cls"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE4609.tmp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1488
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE4609.tmp.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1040
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE4609.tmp.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1844
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" cls"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1964
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 99B22446475386E1DEDD53D9D95C9622 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2884
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B1D091DBAAE98C8D9F31ADCA0571BA86
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1368
    • C:\Windows\Installer\MSI3AA6.tmp
      "C:\Windows\Installer\MSI3AA6.tmp" "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Program Files\Net2e\SilkroadR\SRO_R.exe
        "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\ProgramData\CFQPBU\TEV.exe
          "C:\ProgramData\CFQPBU\TEV.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2076
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2424
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000560" "00000000000005D8"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f77340d.rbs
      Filesize

      9KB

      MD5

      945534b7541c30173f6d0057e977c2ce

      SHA1

      546e9153206b004a51b6963171e36d2a2210f982

      SHA256

      ddcbbd171cd31c6106fdc953e0108af63e3003d6cc7ce3ddd3898d13fe66d930

      SHA512

      ede6fc56f8fe4afdd0932cda5985b70ab58479200e57e4fd4730ad6db17db554d789bb914f9591002b87f96fbeffeb568c01e252d2385d17a4fb391b3f67bd80

      Download Submit

    • C:\Program Files\Net2e\SilkroadR\SRO_R.exe
      Filesize

      2.3MB

      MD5

      38bbc879ab82720283d9a27b3ca72490

      SHA1

      28ed426f5462b1eaf3dec3c50000dc47d03b5549

      SHA256

      546360798477f6e8ec31bf1e230a69bb78f882e71908c504b80604b00e0475cc

      SHA512

      1a8aa20936fafd8abac638e19fc7297df710301b2e0b7c66ebbd3b47b5606bfd83718b97c29edcc29efa3bde235d3eb59904ebafa8160c48cf3a086f4442e27b

      Download Submit

    • C:\Program Files\Net2e\SilkroadR\silkroad.exe
      Filesize

      796KB

      MD5

      7848d12390433960af0803630be759d6

      SHA1

      f35285e2dc52893195544af8598f4f00138a5d46

      SHA256

      3cddac8869e71e4ac294ac757428a2bf577d41a344388bae454572c66554f5a1

      SHA512

      e613a36c4a8baf110b54c079d4db333f86cd8ba5e3a08d894b81cc09e3a02bfd63ca84b7a7ab4dd518f880d0e98602e0e7056b040d8dab713036c2cba1727525

      Download Submit

    • C:\ProgramData\CFQPBU\TEV.00
      Filesize

      2KB

      MD5

      869c7988a9fae9365caeeabcda0e7f1a

      SHA1

      13bd3b73b6368ce425a8fb5673aaabe7d23325c1

      SHA256

      5d30f82285ce74ce9a3c2550df03e0c003fc5c9225ce256cdb0d023d39985a2c

      SHA512

      8fe063b771c85aeb25bfb4bb42bac4116d9857d2a987f5640042a3ac1ed167668d911eebe70a07c5fad2f7978d756d90d9fbb996d68b0438ee10664e025b6737

      Download Submit

    • C:\ProgramData\THF\TEV.004
      Filesize

      919B

      MD5

      7fce666abefcf0959bcd40f1840d72ba

      SHA1

      abba7db7b9f67024de2c254531d3984fdd80ed3c

      SHA256

      61fd27ae55a312c17f42d94a61f188e5786765c9dd07bb47183a1b9ef6072214

      SHA512

      0f5b8b41e91bda2aaf43e7968432cd6156cd89b48a19ab74954e7cb904669acdcfd908d6f29bf1a2480f96a129b43a1f18765d5dd4ac09113f59f65cf60b0cd0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2384\background.jpg
      Filesize

      208KB

      MD5

      c11651b1901e704b6b4b49f1df62401f

      SHA1

      e5ce36a9b955ff5fc72e3f11cd7c62e7416ed0ea

      SHA256

      e9657b10049a589e014cb97952eed96baa7daffdbbcef4089da821226b420ae4

      SHA512

      a50ac93d1a1018d43c54580d267f57bd23aec17903fdc537a00ba20bd27b609aae81192c2b297c704edeaa7b308f41ba76bd70f851e43d327ebc05d5bcaf60c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2384\collecting.jpg
      Filesize

      1KB

      MD5

      750b3ce655a3dbc7961306d52c7b22b5

      SHA1

      2d5ed71c01abb38628eb81e1ac216f324a5c6f9d

      SHA256

      e7ff02b62f83626e7115f8a98f017fa4ec2927541c87a8555f51398d39583fbd

      SHA512

      d765f9008bd58e7d87392a44804945cecf04515ed5e0b134192c1e7a6e55d3509c181aa65de98d2c2afaba55e808e6cd4b625042c0a96f62ff0a64dbf88eb6eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2384\finalizing.jpg
      Filesize

      2KB

      MD5

      b3d6cf5322b0a6e038fbf402b7a54f14

      SHA1

      7c65f0ec826cd5ec68c72a4fa79d37b0a44a2d95

      SHA256

      5ae1d4ab295fd065b861f319ecc62d2e5740423e2b7ffc662fdf45af9131ce40

      SHA512

      e6f1724c547555e58adbc22584ea834996f912cd504bacda41fd77cdb3793b57c4a93cba9610dde516a52f61448b7c78392823e159a24187f41364807ac1067b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2384\installing.jpg
      Filesize

      2KB

      MD5

      6a6ddf6728d0ba09c6e2983a97b1031c

      SHA1

      01352ded02319992c25d89dadc22e4631981b54e

      SHA256

      26ac8e8fd30e4bc4f66aaee0ce0bde0db2293012ae39f96652e9b12e1542d8be

      SHA512

      91a50aa21cec298b555c86b8ee5fb559f0f8e4b5160038f07d9be10be2f5920249b9eb0e1b957cd2d7dcef126115d5cbbadc74092a1c74c876db8f25e0b6bd98

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2384\preparing.jpg
      Filesize

      1KB

      MD5

      c420154355e85d1b2ca8cc6de2f78fde

      SHA1

      014707b5bc98d52e92c68b77d299e22075d2a561

      SHA256

      47b996f1d726dffcc482bcee2117ecaafed5df5e05cf8673bddfc769db08c3c0

      SHA512

      1506cd5ad09fc2cb99e2860cb94c70ec88f1ae97df8f75f5391827c9481c4e265dd0f1dc83cbd844678fd2f68c92dfe588338ea845e50e16effde24efd322143

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EXE45E9.tmp.bat
      Filesize

      406B

      MD5

      222a2c01d5eb54249367aa4f8c114d0d

      SHA1

      e4884899695d32d2ad055b6fd577f29542cf8ae6

      SHA256

      a31b941087f354fe8f547d4eeaa2a8cf6fb2dd5acabefb1a055f9dde02c8b09e

      SHA512

      9ac0c73d7aef1921708b134f6301b5689f7832a489fe706522bc2d92ab8e8da65cef9297c9611f8cba23b6f85ca04826b6ab9949e670dcbead57093bfe73652b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EXE4609.tmp.bat
      Filesize

      406B

      MD5

      b68d675d4159376da2949b24b648e8d0

      SHA1

      a5f63b663ff4e7423a436c19057c2309c24ee962

      SHA256

      d5d61f58a916f3c8f62172e1d0c4e9e1e66c6192ef5197a71d09f27b9fe3e184

      SHA512

      bfefc10061d78f9b96eb443b10dccf3e589b71ef295316d5dae95e968198cf8ab1d86dc22981462d031e3beb6aa02b9a0be20312ee6dc4fc08f12f4ee305a73d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIB184.tmp
      Filesize

      91KB

      MD5

      f16f35078bfb36d801f8c500ba5c1a40

      SHA1

      3b97e9a8daf7e2d6a9e656edede87314ee142a89

      SHA256

      583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

      SHA512

      84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi
      Filesize

      968KB

      MD5

      162a3c0bf3073c5a9d719d40abc2c1fc

      SHA1

      f618cfe1969992031456ad4932e5a3fb5af0f13e

      SHA256

      67353957c148bc1724cba07175216a738b924c4fa4adb5d52eaa3d99a19a321a

      SHA512

      c7a2ad6419d170f902a82d241fb1d35321ebe08c1fd63aa09f44b432faafaa003c3daa80cff96de122c446844d6de368c5885827587cb8b7951d3d3e3fa7acf1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\disk1.cab
      Filesize

      6.9MB

      MD5

      3e9bb7bf788f08d0194182820d423cab

      SHA1

      acc00292ce2f4c4e5091c4d3343672c8a0d02711

      SHA256

      8c0743ce218cf973d2ce755eb29213a54ea8c46771cd8ee39470cb7c573cc11a

      SHA512

      96639b731a61a403023aa4bf2383a04ebcfbb24ddc0977894a9372bee1669dfb7b722869df99ff9514b303b27bba7467e520ded6bc3caa86cddb5503d2fb4c74

      Download Submit

    • C:\Windows\Installer\MSI3777.tmp
      Filesize

      300KB

      MD5

      3953318d1e6d124b10805cc5919fe47e

      SHA1

      76dfb3240d7fd6b860d23a6d210d85adb17b7803

      SHA256

      0670c12c9d190d80f0e4b907041dd94ac25c93b71b121b75372e3560e7818e1b

      SHA512

      8937bc63d5cb685216e4fef6eef45cbdea96787d762467bfc7f8ce87b28985f4834cf67ba13e3f2194e472af1ce3ab39eb239ae2140ecab4eaf411cc95c207aa

      Download Submit

    • C:\Windows\Installer\MSI3AA6.tmp
      Filesize

      14KB

      MD5

      aa154d2b96be7ab9f8f2588c07ba7669

      SHA1

      972e5f88b4408b13c88f4126106db6a495806b7f

      SHA256

      0ca2db61f95832d643559b51acf71a01b3caa22a975988a1669898716f657c46

      SHA512

      4cfe97af406075a09cea81c84340fdc141ae95ae26cc6e1a465b7cf00fafccde48e55ac01cfee18dba5e7d368dc7cb3efd1dcc819f87b770691e4205882f7e3e

      Download Submit

    • \ProgramData\CFQPBU\TEV.01
      Filesize

      79KB

      MD5

      582bfe4bf9de1077982664ad8ce0754a

      SHA1

      465eb7f460f9eb9a34572df6f17cf2cb2d8c3688

      SHA256

      ce4597c260250342bec2baec880a040a62b70137c3aea062ea78e80159101184

      SHA512

      40ca7584c33eb8a4df9b7566ee4b2cc55061e627160a99535e43b3189ff1093d3b8d55cf56156f20bec8562de9fb80f3ddfd07b878002111d22b991c05b46207

      Download Submit

    • \ProgramData\CFQPBU\TEV.exe
      Filesize

      2.6MB

      MD5

      bbf69aeaed386c67d946b1cb197abcac

      SHA1

      c291c37b677c0784ead38e57ee22d704b2196730

      SHA256

      8bd424a581e6307dce2231a459d686486937d491677827b2f3eee8110741ba2a

      SHA512

      4e7df27a352a207f7d9c2a20835e6b3d036ce30f69b3cce74687e165f1138f15de62a6aa8ee81c777d168e5ee7202077e7e9e1c5a67e39d07b5064c7e96c3a85

      Download Submit

    • memory/1244-167-0x0000000000AE0000-0x0000000000AF9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2076-162-0x0000000000380000-0x0000000000399000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2384-169-0x00000000029B0000-0x00000000029C9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2384-0-0x0000000000850000-0x0000000000851000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-70-0x0000000000850000-0x0000000000851000-memory.dmp

      Filesize

      4KB

      Download