Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 12:27

General

  • Target

    Install.exe

  • Size

    2.2MB

  • MD5

    1382e4d171d911ad48f0c4ebe58ae29d

  • SHA1

    e15768445f428f578a2a304a3a3d675400cef2bb

  • SHA256

    6b1dd1c338fbbccd877e74e54713e8a5165251b90aff3e71995fe693f7f680fa

  • SHA512

    854d1dd1f23674264fa33e4c4a21a4457892c2d82885bc5d269ba77ffcde433ec75bbf9eef4df9d04b74634abf014291073b17e9352cc93bf9d1301c2097a30d

  • SSDEEP

    49152:F5669KWXjUCnBBDeWTjTcmzR2op3L7S24hyzWa:D669KWXICnBBKWT0mzR2opLL8SW

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

  • Ardamax family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\ProgramData\RUXEKE\FYK.exe
      "C:\ProgramData\RUXEKE\FYK.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\RUXEKE\FYK.00

    Filesize

    2KB

    MD5

    18d370fe236a57ba505f22f588e89bf5

    SHA1

    2545ad5f2144aba486f85b2970be26b3b0a3cb92

    SHA256

    73dde880c6b822ded99d8ad96d6429f772f181439ad08be84211c13f5bd8453b

    SHA512

    527b0044706357ffd1fd5bbf7e501b914e49f6a57273466e6f03c75a66ae102fc154189d5414052c1a6a29ac5132fd4853f7ce71af17dd26926a23e1a6f5889d

  • C:\ProgramData\RUXEKE\FYK.01

    Filesize

    79KB

    MD5

    b1936b29dd260e0dc7d46a09df4134da

    SHA1

    b782cb9c091dc6aaff3263834b91ab3933c94614

    SHA256

    064e50cb041bdae3365a02ec84b4d200feeca8538b315b12656bcdb0f884d268

    SHA512

    d6993baf0e630ed27aaa3938ef94da273cf4c3ab5a5c82080aa2ba517ee5fca4f04f9b56dbbfcf0e392f328c5e5e7d0f737cba33a6c3283587710b7c1233ba25

  • C:\ProgramData\RUXEKE\FYK.exe

    Filesize

    2.6MB

    MD5

    6a8ce42b097c7a3fdce00acf554a1c48

    SHA1

    d656df03348d4c7ecab57853d16418f8b4f1a8d9

    SHA256

    e18bd5cd194f0402be88422e126210eaa3de381e6796f1816c2690cd3736fbae

    SHA512

    aa81e13c422cc34685c21c92b0f1e2f2359241a901ea1939a95a9e92b22601d052122827ba5bda63c07ea678904ef31fe6eda150333d112b7fd31c886a88309a

  • memory/2216-12-0x0000000000C90000-0x0000000000C91000-memory.dmp

    Filesize

    4KB

  • memory/2216-16-0x0000000004240000-0x0000000004258000-memory.dmp

    Filesize

    96KB

  • memory/2216-17-0x0000000000C90000-0x0000000000C91000-memory.dmp

    Filesize

    4KB