Overview

overview

10

Static

static

3

2024-11-18...ia.exe

windows7-x64

10

2024-11-18...ia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe

  • Size

    10.4MB

  • MD5

    185c218239b46dff1b2b4642338f373e

  • SHA1

    77b794f16a8621b424355343bc5a4b04fd07f875

  • SHA256

    07eb94556da6da2c55e65b5fa7b48fd983c0b448c6ffa202d44c689d49ce6da8

  • SHA512

    77f579ea578865d9ab76378dc6207ee8e43647426c534616e7dff39c943d00f00ef306039d924ed45445850a68fd5bf1aa0c85d9c9ca95d0a1eb2bf2dc1955be

  • SSDEEP

    196608:1zS1+mVNY/EeryIqxQcZ77QxqJ8UhPo09VSY0P7JkwGIQW5zf:1zSLVaqx77UxS8cPFWY0P7JkwmWN

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" /i "C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi" CLIENTPROCESSID="2000" ADDLOCAL="MainFeature" SECONDSEQUENCE="1" CHAINERUIPROCESSID="2000Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\" AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\2024-11-18_185c218239b46dff1b2b4642338f373e_mafia.exe" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " TARGETDIR="C:\" APPDIR="C:\Program Files\Net2e\SilkroadR\" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SilkroadR"
      2⤵
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      PID:2960
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE7BA8.tmp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1668
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE7BA8.tmp.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2936
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE7BA8.tmp.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2448
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" cls"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2344
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\EXE7BD8.tmp.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "\\?\C:\Users\Admin\AppData\Roaming\Net2e\SILKRO~1.0\install\CHAYNH~2.MSI"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1368
      • C:\Windows\SysWOW64\attrib.exe
        ATTRIB -r "C:\Users\Admin\AppData\Local\Temp\EXE7BD8.tmp.bat"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2744
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE7BD8.tmp.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" cls"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2044
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A5C0990024862724125427154D5ECE27 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2072
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2ED063D417D9D9DF225F6EA7577DA773
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1624
    • C:\Windows\Installer\MSI6BE3.tmp
      "C:\Windows\Installer\MSI6BE3.tmp" "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Program Files\Net2e\SilkroadR\SRO_R.exe
        "C:\Program Files\Net2e\SilkroadR\SRO_R.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\ProgramData\CFQPBU\TEV.exe
          "C:\ProgramData\CFQPBU\TEV.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:2828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1492
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A8" "00000000000003CC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f776319.rbs
      Filesize

      9KB

      MD5

      92d70797c5c15980b0db05b9abb32879

      SHA1

      680db27d6619852546828220948621f2544d1c96

      SHA256

      81b8cd0ffeb32ad7324a8ab31c42bef338f10002460fc345011422c8ad014129

      SHA512

      f70097d243073caba2656089d6c58e0ee4948e1f498a01d39e0785e160cf706464cdabddbe122a38ec420817a9a26c56e58a1288aef58ada00543b1fd25e0af8

      Download Submit

    • C:\Program Files\Net2e\SilkroadR\SRO_R.exe
      Filesize

      2.3MB

      MD5

      38bbc879ab82720283d9a27b3ca72490

      SHA1

      28ed426f5462b1eaf3dec3c50000dc47d03b5549

      SHA256

      546360798477f6e8ec31bf1e230a69bb78f882e71908c504b80604b00e0475cc

      SHA512

      1a8aa20936fafd8abac638e19fc7297df710301b2e0b7c66ebbd3b47b5606bfd83718b97c29edcc29efa3bde235d3eb59904ebafa8160c48cf3a086f4442e27b

      Download Submit

    • C:\Program Files\Net2e\SilkroadR\silkroad.exe
      Filesize

      796KB

      MD5

      7848d12390433960af0803630be759d6

      SHA1

      f35285e2dc52893195544af8598f4f00138a5d46

      SHA256

      3cddac8869e71e4ac294ac757428a2bf577d41a344388bae454572c66554f5a1

      SHA512

      e613a36c4a8baf110b54c079d4db333f86cd8ba5e3a08d894b81cc09e3a02bfd63ca84b7a7ab4dd518f880d0e98602e0e7056b040d8dab713036c2cba1727525

      Download Submit

    • C:\ProgramData\CFQPBU\TEV.00
      Filesize

      2KB

      MD5

      869c7988a9fae9365caeeabcda0e7f1a

      SHA1

      13bd3b73b6368ce425a8fb5673aaabe7d23325c1

      SHA256

      5d30f82285ce74ce9a3c2550df03e0c003fc5c9225ce256cdb0d023d39985a2c

      SHA512

      8fe063b771c85aeb25bfb4bb42bac4116d9857d2a987f5640042a3ac1ed167668d911eebe70a07c5fad2f7978d756d90d9fbb996d68b0438ee10664e025b6737

      Download Submit

    • C:\ProgramData\CFQPBU\TEV.exe
      Filesize

      2.6MB

      MD5

      bbf69aeaed386c67d946b1cb197abcac

      SHA1

      c291c37b677c0784ead38e57ee22d704b2196730

      SHA256

      8bd424a581e6307dce2231a459d686486937d491677827b2f3eee8110741ba2a

      SHA512

      4e7df27a352a207f7d9c2a20835e6b3d036ce30f69b3cce74687e165f1138f15de62a6aa8ee81c777d168e5ee7202077e7e9e1c5a67e39d07b5064c7e96c3a85

      Download Submit

    • C:\ProgramData\THF\TEV.004
      Filesize

      919B

      MD5

      4cc6712b328331367179b3cc4ece337b

      SHA1

      972e8b6bb4d6bf58f266153864b6a043a2de385f

      SHA256

      2a02bd43c9e3efdf12906b540035e461ecca4eef7247ec883443ba8d75d28e09

      SHA512

      4a42215c0227228ba4d42b21890dd93d002685bd0761d66f9ab921092f64fed614fa490c5afe5e3ad27ce02f44d7d71b386f41ba12a100ed36aee575b87cbc80

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2000\background.jpg
      Filesize

      208KB

      MD5

      c11651b1901e704b6b4b49f1df62401f

      SHA1

      e5ce36a9b955ff5fc72e3f11cd7c62e7416ed0ea

      SHA256

      e9657b10049a589e014cb97952eed96baa7daffdbbcef4089da821226b420ae4

      SHA512

      a50ac93d1a1018d43c54580d267f57bd23aec17903fdc537a00ba20bd27b609aae81192c2b297c704edeaa7b308f41ba76bd70f851e43d327ebc05d5bcaf60c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2000\collecting.jpg
      Filesize

      1KB

      MD5

      750b3ce655a3dbc7961306d52c7b22b5

      SHA1

      2d5ed71c01abb38628eb81e1ac216f324a5c6f9d

      SHA256

      e7ff02b62f83626e7115f8a98f017fa4ec2927541c87a8555f51398d39583fbd

      SHA512

      d765f9008bd58e7d87392a44804945cecf04515ed5e0b134192c1e7a6e55d3509c181aa65de98d2c2afaba55e808e6cd4b625042c0a96f62ff0a64dbf88eb6eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2000\finalizing.jpg
      Filesize

      2KB

      MD5

      b3d6cf5322b0a6e038fbf402b7a54f14

      SHA1

      7c65f0ec826cd5ec68c72a4fa79d37b0a44a2d95

      SHA256

      5ae1d4ab295fd065b861f319ecc62d2e5740423e2b7ffc662fdf45af9131ce40

      SHA512

      e6f1724c547555e58adbc22584ea834996f912cd504bacda41fd77cdb3793b57c4a93cba9610dde516a52f61448b7c78392823e159a24187f41364807ac1067b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2000\installing.jpg
      Filesize

      2KB

      MD5

      6a6ddf6728d0ba09c6e2983a97b1031c

      SHA1

      01352ded02319992c25d89dadc22e4631981b54e

      SHA256

      26ac8e8fd30e4bc4f66aaee0ce0bde0db2293012ae39f96652e9b12e1542d8be

      SHA512

      91a50aa21cec298b555c86b8ee5fb559f0f8e4b5160038f07d9be10be2f5920249b9eb0e1b957cd2d7dcef126115d5cbbadc74092a1c74c876db8f25e0b6bd98

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2000\preparing.jpg
      Filesize

      1KB

      MD5

      c420154355e85d1b2ca8cc6de2f78fde

      SHA1

      014707b5bc98d52e92c68b77d299e22075d2a561

      SHA256

      47b996f1d726dffcc482bcee2117ecaafed5df5e05cf8673bddfc769db08c3c0

      SHA512

      1506cd5ad09fc2cb99e2860cb94c70ec88f1ae97df8f75f5391827c9481c4e265dd0f1dc83cbd844678fd2f68c92dfe588338ea845e50e16effde24efd322143

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EXE7BA8.tmp.bat
      Filesize

      406B

      MD5

      cbfca33e05f5534487ef84435a67d423

      SHA1

      4ee68d72c95e5fdb64b1883d61a2cc0ee0339e10

      SHA256

      965712c7a5739164687ccb88de97114c5fc301473356b3af7325ac5060acd57f

      SHA512

      031afc0df52cdb4df677f693f2d4857ea1628731b5dfe8ab9ab2a546ae79357f1be075d0ac99f561b6074aa713f19bf9054e8af65929a6bd1b1626e24f97107b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EXE7BD8.tmp.bat
      Filesize

      406B

      MD5

      14738493268e705bc3dee34dc8e02e32

      SHA1

      ec868d8df67b30a53339033d4dec8a0c914ef71c

      SHA256

      c77452690bcf1109354aacd0e2b39187e987146dfb57332629611e48fcb3109b

      SHA512

      54f7d2c1f596d3ab40d7c298176acb0fe0869dfb7016f9106cadedf7967bf7bebb1b564d14bede15ba6f73707fd0677b2be52b1c2a2c4644949eb9e9d508acd1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSICF21.tmp
      Filesize

      91KB

      MD5

      f16f35078bfb36d801f8c500ba5c1a40

      SHA1

      3b97e9a8daf7e2d6a9e656edede87314ee142a89

      SHA256

      583bf08b032b830d33cb34fd0a1d51361311592528d27881266e87a074b416ff

      SHA512

      84e3207d6399a314f533ea597e23759c618a16fc57493e8fdf2ee86a1daf776d4315612fd6ba23046d46e46a92b1b0b29a2d40bdd27baa9dc51feadb4af89230

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\ChayNhieuAcc_SroR_Net2e.x64.msi
      Filesize

      968KB

      MD5

      162a3c0bf3073c5a9d719d40abc2c1fc

      SHA1

      f618cfe1969992031456ad4932e5a3fb5af0f13e

      SHA256

      67353957c148bc1724cba07175216a738b924c4fa4adb5d52eaa3d99a19a321a

      SHA512

      c7a2ad6419d170f902a82d241fb1d35321ebe08c1fd63aa09f44b432faafaa003c3daa80cff96de122c446844d6de368c5885827587cb8b7951d3d3e3fa7acf1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Net2e\SilkroadR 1.0.0\install\disk1.cab
      Filesize

      6.9MB

      MD5

      3e9bb7bf788f08d0194182820d423cab

      SHA1

      acc00292ce2f4c4e5091c4d3343672c8a0d02711

      SHA256

      8c0743ce218cf973d2ce755eb29213a54ea8c46771cd8ee39470cb7c573cc11a

      SHA512

      96639b731a61a403023aa4bf2383a04ebcfbb24ddc0977894a9372bee1669dfb7b722869df99ff9514b303b27bba7467e520ded6bc3caa86cddb5503d2fb4c74

      Download Submit

    • C:\Windows\Installer\MSI65B7.tmp
      Filesize

      300KB

      MD5

      3953318d1e6d124b10805cc5919fe47e

      SHA1

      76dfb3240d7fd6b860d23a6d210d85adb17b7803

      SHA256

      0670c12c9d190d80f0e4b907041dd94ac25c93b71b121b75372e3560e7818e1b

      SHA512

      8937bc63d5cb685216e4fef6eef45cbdea96787d762467bfc7f8ce87b28985f4834cf67ba13e3f2194e472af1ce3ab39eb239ae2140ecab4eaf411cc95c207aa

      Download Submit

    • C:\Windows\Installer\MSI6BE3.tmp
      Filesize

      14KB

      MD5

      aa154d2b96be7ab9f8f2588c07ba7669

      SHA1

      972e5f88b4408b13c88f4126106db6a495806b7f

      SHA256

      0ca2db61f95832d643559b51acf71a01b3caa22a975988a1669898716f657c46

      SHA512

      4cfe97af406075a09cea81c84340fdc141ae95ae26cc6e1a465b7cf00fafccde48e55ac01cfee18dba5e7d368dc7cb3efd1dcc819f87b770691e4205882f7e3e

      Download Submit

    • \ProgramData\CFQPBU\TEV.01
      Filesize

      79KB

      MD5

      582bfe4bf9de1077982664ad8ce0754a

      SHA1

      465eb7f460f9eb9a34572df6f17cf2cb2d8c3688

      SHA256

      ce4597c260250342bec2baec880a040a62b70137c3aea062ea78e80159101184

      SHA512

      40ca7584c33eb8a4df9b7566ee4b2cc55061e627160a99535e43b3189ff1093d3b8d55cf56156f20bec8562de9fb80f3ddfd07b878002111d22b991c05b46207

      Download Submit

    • memory/2000-167-0x00000000028E0000-0x00000000028F9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2000-0-0x0000000000430000-0x0000000000431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2000-70-0x0000000000430000-0x0000000000431000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2828-163-0x0000000000360000-0x0000000000379000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2960-165-0x0000000000A20000-0x0000000000A39000-memory.dmp

      Filesize

      100KB

      Download