Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Install.exe
Resource
win10v2004-20241007-en
General
-
Target
Install.exe
-
Size
2.2MB
-
MD5
1382e4d171d911ad48f0c4ebe58ae29d
-
SHA1
e15768445f428f578a2a304a3a3d675400cef2bb
-
SHA256
6b1dd1c338fbbccd877e74e54713e8a5165251b90aff3e71995fe693f7f680fa
-
SHA512
854d1dd1f23674264fa33e4c4a21a4457892c2d82885bc5d269ba77ffcde433ec75bbf9eef4df9d04b74634abf014291073b17e9352cc93bf9d1301c2097a30d
-
SSDEEP
49152:F5669KWXjUCnBBDeWTjTcmzR2op3L7S24hyzWa:D669KWXICnBBKWT0mzR2opLL8SW
Malware Config
Signatures
-
Ardamax family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 1 IoCs
Processes:
FYK.exepid process 2216 FYK.exe -
Loads dropped DLL 2 IoCs
Processes:
FYK.exepid process 2216 FYK.exe 2216 FYK.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
FYK.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FYK Start = "C:\\ProgramData\\RUXEKE\\FYK.exe" FYK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Install.exeFYK.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FYK.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FYK.exepid process 2216 FYK.exe 2216 FYK.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
FYK.exepid process 2216 FYK.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
FYK.exepid process 2216 FYK.exe 2216 FYK.exe 2216 FYK.exe 2216 FYK.exe 2216 FYK.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Install.exedescription pid process target process PID 4376 wrote to memory of 2216 4376 Install.exe FYK.exe PID 4376 wrote to memory of 2216 4376 Install.exe FYK.exe PID 4376 wrote to memory of 2216 4376 Install.exe FYK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\ProgramData\RUXEKE\FYK.exe"C:\ProgramData\RUXEKE\FYK.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD518d370fe236a57ba505f22f588e89bf5
SHA12545ad5f2144aba486f85b2970be26b3b0a3cb92
SHA25673dde880c6b822ded99d8ad96d6429f772f181439ad08be84211c13f5bd8453b
SHA512527b0044706357ffd1fd5bbf7e501b914e49f6a57273466e6f03c75a66ae102fc154189d5414052c1a6a29ac5132fd4853f7ce71af17dd26926a23e1a6f5889d
-
Filesize
79KB
MD5b1936b29dd260e0dc7d46a09df4134da
SHA1b782cb9c091dc6aaff3263834b91ab3933c94614
SHA256064e50cb041bdae3365a02ec84b4d200feeca8538b315b12656bcdb0f884d268
SHA512d6993baf0e630ed27aaa3938ef94da273cf4c3ab5a5c82080aa2ba517ee5fca4f04f9b56dbbfcf0e392f328c5e5e7d0f737cba33a6c3283587710b7c1233ba25
-
Filesize
2.6MB
MD56a8ce42b097c7a3fdce00acf554a1c48
SHA1d656df03348d4c7ecab57853d16418f8b4f1a8d9
SHA256e18bd5cd194f0402be88422e126210eaa3de381e6796f1816c2690cd3736fbae
SHA512aa81e13c422cc34685c21c92b0f1e2f2359241a901ea1939a95a9e92b22601d052122827ba5bda63c07ea678904ef31fe6eda150333d112b7fd31c886a88309a