Overview

overview

10

Static

static

3

2024-11-18...ia.exe

windows7-x64

10

2024-11-18...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

  • Size

    10.4MB

  • MD5

    185c218239b46dff1b2b4642338f373e

  • SHA1

    77b794f16a8621b424355343bc5a4b04fd07f875

  • SHA256

    07eb94556da6da2c55e65b5fa7b48fd983c0b448c6ffa202d44c689d49ce6da8

  • SHA512

    77f579ea578865d9ab76378dc6207ee8e43647426c534616e7dff39c943d00f00ef306039d924ed45445850a68fd5bf1aa0c85d9c9ca95d0a1eb2bf2dc1955be

  • SSDEEP

    196608:1zS1+mVNY/EeryIqxQcZ77QxqJ8UhPo09VSY0P7JkwGIQW5zf:1zSLVaqx77UxS8cPFWY0P7JkwmWN

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" /i "C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi" CLIENTPROCESSID="4060" ADDLOCAL="MainFeature" SECONDSEQUENCE="1" CHAINERUIPROCESSID="4060Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files\Net2e\SilkroadR\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SilkroadR"
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      PID:1588
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE63EA.tmp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4564
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE63EA.tmp.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE63EA.tmp.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2024
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" cls"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:964
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE6449.tmp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:552
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE6449.tmp.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:4448
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE6449.tmp.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" cls"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3688
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding EFE5055C55ADC973110EF735428CFD8C C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3024
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2976
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 5451A87C33BA949EF1980576B1C9F8E6
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3508
      • C:\Windows\Installer\MSI561F.tmp
        "C:\Windows\Installer\MSI561F.tmp" "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Program Files\Net2e\SilkroadR\SRO_R.exe
          "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4508
          • C:\ProgramData\CFQPBU\TEV.exe
            "C:\ProgramData\CFQPBU\TEV.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:4864
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e584d51.rbs
      Filesize

      9KB

      MD5

      7bc8cf9d296d70e9c50332cf77fa31da

      SHA1

      24dbff82004f48f52757e0434371197cdb02a62b

      SHA256

      3e0093b425bfc7656a20112bc6873f2009a6bb1a72510eb129d7f2826abebb67

      SHA512

      b41c9435596e514077714fc1bbb7e040e719477896b27be315b6976e0a6f78b7579eb508d4282f91c5038aa1c19ae4cc8f77afd8ec42b3d36ebefcf780bd8d1f

      Download Submit

    • C:\Program Files\Net2e\SilkroadR\SRO_R.exe
      Filesize

      2.3MB

      MD5

      38bbc879ab82720283d9a27b3ca72490

      SHA1

      28ed426f5462b1eaf3dec3c50000dc47d03b5549

      SHA256

      546360798477f6e8ec31bf1e230a69bb78f882e71908c504b80604b00e0475cc

      SHA512

      1a8aa20936fafd8abac638e19fc7297df710301b2e0b7c66ebbd3b47b5606bfd83718b97c29edcc29efa3bde235d3eb59904ebafa8160c48cf3a086f4442e27b

      Download Submit

    • C:\Program Files\Net2e\SilkroadR\silkroad.exe
      Filesize

      796KB

      MD5

      7848d12390433960af0803630be759d6

      SHA1

      f35285e2dc52893195544af8598f4f00138a5d46

      SHA256

      3cddac8869e71e4ac294ac757428a2bf577d41a344388bae454572c66554f5a1

      SHA512

      e613a36c4a8baf110b54c079d4db333f86cd8ba5e3a08d894b81cc09e3a02bfd63ca84b7a7ab4dd518f880d0e98602e0e7056b040d8dab713036c2cba1727525

      Download Submit

    • C:\ProgramData\CFQPBU\TEV.00
      Filesize

      2KB

      MD5

      869c7988a9fae9365caeeabcda0e7f1a

      SHA1

      13bd3b73b6368ce425a8fb5673aaabe7d23325c1

      SHA256

      5d30f82285ce74ce9a3c2550df03e0c003fc5c9225ce256cdb0d023d39985a2c

      SHA512

      8fe063b771c85aeb25bfb4bb42bac4116d9857d2a987f5640042a3ac1ed167668d911eebe70a07c5fad2f7978d756d90d9fbb996d68b0438ee10664e025b6737

      Download Submit

    • C:\ProgramData\CFQPBU\TEV.01
      Filesize

      79KB

      MD5

      582bfe4bf9de1077982664ad8ce0754a

      SHA1

      465eb7f460f9eb9a34572df6f17cf2cb2d8c3688

      SHA256

      ce4597c260250342bec2baec880a040a62b70137c3aea062ea78e80159101184

      SHA512

      40ca7584c33eb8a4df9b7566ee4b2cc55061e627160a99535e43b3189ff1093d3b8d55cf56156f20bec8562de9fb80f3ddfd07b878002111d22b991c05b46207

      Download Submit

    • C:\ProgramData\CFQPBU\TEV.exe
      Filesize

      2.6MB

      MD5

      bbf69aeaed386c67d946b1cb197abcac

      SHA1

      c291c37b677c0784ead38e57ee22d704b2196730

      SHA256

      8bd424a581e6307dce2231a459d686486937d491677827b2f3eee8110741ba2a

      SHA512

      4e7df27a352a207f7d9c2a20835e6b3d036ce30f69b3cce74687e165f1138f15de62a6aa8ee81c777d168e5ee7202077e7e9e1c5a67e39d07b5064c7e96c3a85

      Download Submit

    • C:\ProgramData\THF\TEV.004
      Filesize

      919B

      MD5

      72459c359f97d95c73098e01973396c6

      SHA1

      e67c780e228dd6aec9c41b8d572c1aaf42cc77bc

      SHA256

      3f472bf67ed3510d9efcfe7403ee7381d611e5c8e3ec033850ddaa8f6192d06a

      SHA512

      4238ba6dae234a325862470879ec46aae50dce10f129d2066f2243c14350e606e9dea7254808b3ea9cc28e65ec99f85db945a923cdbab6ae73b9528bfa4abbde

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4060\background.jpg
      Filesize

      208KB

      MD5

      c11651b1901e704b6b4b49f1df62401f

      SHA1

      e5ce36a9b955ff5fc72e3f11cd7c62e7416ed0ea

      SHA256

      e9657b10049a589e014cb97952eed96baa7daffdbbcef4089da821226b420ae4

      SHA512

      a50ac93d1a1018d43c54580d267f57bd23aec17903fdc537a00ba20bd27b609aae81192c2b297c704edeaa7b308f41ba76bd70f851e43d327ebc05d5bcaf60c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4060\collecting.jpg
      Filesize

      1KB

      MD5

      750b3ce655a3dbc7961306d52c7b22b5

      SHA1

      2d5ed71c01abb38628eb81e1ac216f324a5c6f9d

      SHA256

      e7ff02b62f83626e7115f8a98f017fa4ec2927541c87a8555f51398d39583fbd

      SHA512

      d765f9008bd58e7d87392a44804945cecf04515ed5e0b134192c1e7a6e55d3509c181aa65de98d2c2afaba55e808e6cd4b625042c0a96f62ff0a64dbf88eb6eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4060\finalizing.jpg
      Filesize

      2KB

      MD5

      b3d6cf5322b0a6e038fbf402b7a54f14

      SHA1

      7c65f0ec826cd5ec68c72a4fa79d37b0a44a2d95

      SHA256

      5ae1d4ab295fd065b861f319ecc62d2e5740423e2b7ffc662fdf45af9131ce40

      SHA512

      e6f1724c547555e58adbc22584ea834996f912cd504bacda41fd77cdb3793b57c4a93cba9610dde516a52f61448b7c78392823e159a24187f41364807ac1067b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4060\installing.jpg
      Filesize

      2KB

      MD5

      6a6ddf6728d0ba09c6e2983a97b1031c

      SHA1

      01352ded02319992c25d89dadc22e4631981b54e

      SHA256

      26ac8e8fd30e4bc4f66aaee0ce0bde0db2293012ae39f96652e9b12e1542d8be

      SHA512

      91a50aa21cec298b555c86b8ee5fb559f0f8e4b5160038f07d9be10be2f5920249b9eb0e1b957cd2d7dcef126115d5cbbadc74092a1c74c876db8f25e0b6bd98

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_4060\preparing.jpg
      Filesize

      1KB

      MD5

      c420154355e85d1b2ca8cc6de2f78fde

      SHA1

      014707b5bc98d52e92c68b77d299e22075d2a561

      SHA256

      47b996f1d726dffcc482bcee2117ecaafed5df5e05cf8673bddfc769db08c3c0

      SHA512

      1506cd5ad09fc2cb99e2860cb94c70ec88f1ae97df8f75f5391827c9481c4e265dd0f1dc83cbd844678fd2f68c92dfe588338ea845e50e16effde24efd322143

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EXE63EA.tmp.bat
      Filesize

      406B

      MD5

      2da47552241f594c259910cd525418aa

      SHA1

      dc1a2234b4d76430bd90603b3d49928fdc3c72a3

      SHA256

      a7f31fbf2861d197824b5497070efa0faed94bb610663df939364d7d25050017

      SHA512

      e2b9a99fde7cc6edaf73ae88d57b0ae27abe68010487b4929ba86eb98e95a178c3403a3652d50d951330ce78fac6743f7e211c15be0e2585af470f2a407349c0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EXE6449.tmp.bat
      Filesize

      406B

      MD5

      78d41cad762c4358a451fc6dddf172a0

      SHA1

      e2a483b5aba0652f5b7e66876c3e6e2d0da04860

      SHA256

      df85456bf38c807d39cf088fbd5e1da2d4208a1b64d665310ab3abe6b1d66121

      SHA512

      a0ed72188a949660c168599cf1e6be02dcd3741d9cdc0be140d8e4335a6c60c520cc828e95a14d2a8d3387cd7ac6c1239676b7be78f4f66e22f5e58c98c27e49

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIA2E8.tmp
      Filesize

      91KB

      MD5

      f16f35078bfb36d801f8c500ba5c1a40

      SHA1

      3b97e9a8daf7e2d6a9e656edede87314ee142a89

      SHA256

      583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

      SHA512

      84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi
      Filesize

      968KB

      MD5

      162a3c0bf3073c5a9d719d40abc2c1fc

      SHA1

      f618cfe1969992031456ad4932e5a3fb5af0f13e

      SHA256

      67353957c148bc1724cba07175216a738b924c4fa4adb5d52eaa3d99a19a321a

      SHA512

      c7a2ad6419d170f902a82d241fb1d35321ebe08c1fd63aa09f44b432faafaa003c3daa80cff96de122c446844d6de368c5885827587cb8b7951d3d3e3fa7acf1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\disk1.cab
      Filesize

      6.9MB

      MD5

      3e9bb7bf788f08d0194182820d423cab

      SHA1

      acc00292ce2f4c4e5091c4d3343672c8a0d02711

      SHA256

      8c0743ce218cf973d2ce755eb29213a54ea8c46771cd8ee39470cb7c573cc11a

      SHA512

      96639b731a61a403023aa4bf2383a04ebcfbb24ddc0977894a9372bee1669dfb7b722869df99ff9514b303b27bba7467e520ded6bc3caa86cddb5503d2fb4c74

      Download Submit

    • C:\Windows\Installer\MSI4FA5.tmp
      Filesize

      300KB

      MD5

      3953318d1e6d124b10805cc5919fe47e

      SHA1

      76dfb3240d7fd6b860d23a6d210d85adb17b7803

      SHA256

      0670c12c9d190d80f0e4b907041dd94ac25c93b71b121b75372e3560e7818e1b

      SHA512

      8937bc63d5cb685216e4fef6eef45cbdea96787d762467bfc7f8ce87b28985f4834cf67ba13e3f2194e472af1ce3ab39eb239ae2140ecab4eaf411cc95c207aa

      Download Submit

    • C:\Windows\Installer\MSI561F.tmp
      Filesize

      14KB

      MD5

      aa154d2b96be7ab9f8f2588c07ba7669

      SHA1

      972e5f88b4408b13c88f4126106db6a495806b7f

      SHA256

      0ca2db61f95832d643559b51acf71a01b3caa22a975988a1669898716f657c46

      SHA512

      4cfe97af406075a09cea81c84340fdc141ae95ae26cc6e1a465b7cf00fafccde48e55ac01cfee18dba5e7d368dc7cb3efd1dcc819f87b770691e4205882f7e3e

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      45815e4b98fc9e92a40a0a72bf813607

      SHA1

      6b087c9bb46c36ffb8f84c5b3185a255f7eb5e8c

      SHA256

      2f3e6d62da0a289b49775fc97a45105bf967aab06cf3401dbe8537e1af499edd

      SHA512

      2c139f5c92594cbd4de9e5a1ca014801b200ed17830462fde784fa5ac58197df372c224473af17e7c08e98636c11f33a4d56646e1a410571936363580a801fc9

      Download Submit

    • \??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e99001f3-5abe-4945-a5fb-29f48aaeb75c}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      5feadda6e5bf0619a909ed70f1ff2211

      SHA1

      703881cdf9ad32326509ed81320e1b869c5f8ac6

      SHA256

      e41f1ed27e1f15b0cda9d6ace96bbf4b43c05bf946dc451fb7d5aaadc360dea7

      SHA512

      72a2e21e792f6dfb7a718160df06dcb4589ee63798ed010aa202b3f33b60bea32856a7804bc8b966c67f7a6adfe7d04b13c5ff5caa16d66a643aadbd9cd489e3

      Download Submit

    • memory/1588-180-0x0000000003EA0000-0x0000000003EB9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4060-185-0x0000000003900000-0x0000000003919000-memory.dmp

      Filesize

      100KB

      Download

    • memory/4060-0-0x0000000000D00000-0x0000000000D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4060-78-0x0000000000D00000-0x0000000000D01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4864-177-0x0000000004240000-0x0000000004259000-memory.dmp

      Filesize

      100KB

      Download