ardamax | e3ca8a2d067d74c388de2bf37302d943b6d9030498c3642761cdd4d95ac7c368

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
Size

756KB
MD5

9af1276958721492f19d42ffd0358cba
SHA1

67d837ecf326ba46f9120b8467bff11bdec78897
SHA256

e3ca8a2d067d74c388de2bf37302d943b6d9030498c3642761cdd4d95ac7c368
SHA512

b178f8cc4d5f1c3e7096ccfa2577baeca8e3caf9b6fa78f3e679b94e52f5c9360ea244cafee91a62dbd5a4af2ff24e8b2dae1685a14f77b997060f490ad8ac73
SSDEEP

12288:P9JAq8RpxIjnOI2EigFKm0p8/FzGIc8u/dskrcRZca+XXQw865tDgASU6qnSH1DU:7Aq85sOI/iYa8tzGB8adaRuaP+rkHiAo

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001941b-9.dat	family_ardamax

Executes dropped EXE 6 IoCs

pid	Process
1932	SPUY.exe
2888	Cópia de Cópia de TibiaBotNGCracker.exe
2296	sv.exe
2880	SVCHOST.EXE
604	save05.plc
2144	crk.exe

Loads dropped DLL 25 IoCs

pid	Process
1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
1932	SPUY.exe
2888	Cópia de Cópia de TibiaBotNGCracker.exe
1932	SPUY.exe
2888	Cópia de Cópia de TibiaBotNGCracker.exe
2888	Cópia de Cópia de TibiaBotNGCracker.exe
2888	Cópia de Cópia de TibiaBotNGCracker.exe
2296	sv.exe
2296	sv.exe
2880	SVCHOST.EXE
2880	SVCHOST.EXE
2296	sv.exe
604	save05.plc
604	save05.plc
604	save05.plc
604	save05.plc
2144	crk.exe
2144	crk.exe
2144	crk.exe
2144	crk.exe
2144	crk.exe
2144	crk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SPUY Agent = "C:\\Windows\\SysWOW64\\28463\\SPUY.exe"	SPUY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft DNS Service = "C:\\WINDOWS\\SVCHOST.EXE"	SVCHOST.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	SPUY.exe
File created	C:\Windows\SysWOW64\28463\SPUY.001	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\SPUY.006	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\SPUY.007	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\SPUY.exe	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SVCHOST.EXE	sv.exe
File created	C:\WINDOWS\SVCHOST.EXE	sv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCHOST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	save05.plc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SPUY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cópia de Cópia de TibiaBotNGCracker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3831331E-0D11-4716-871D-68F3B11D23C9}\Implemented Categories	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{762EC429-1A5D-4AB8-844A-9A552E1241DA}	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin\CLSID\ = "{0944D16C-D0F4-4389-982A-A085595A9EB3}"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\verb\1\ = "&Load Skin,0,2"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52C01A76-19E2-4A50-AE8A-38FFBCCF9182}\InprocServer32\ThreadingModel = "Apartment"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C406F816-318D-4F7D-81CB-BA93CA7B70D5}	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBC73C94-337C-43CC-B52C-31EB9FA34013}	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel.1\ = "SkinLabel Control"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3831331E-0D11-4716-871D-68F3B11D23C9}\TypeLib	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FC67C-0311-4391-9864-A2EFED49BD28}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3FC950C-7583-4377-BAD8-EFBEAA33273C}\ = "_ISkinEvents"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DCD2BC5-8489-48AE-891F-90C8B2F19F56}\InprocServer32	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{010E0B1F-1A47-4D07-A83F-43A819E39CCF}	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin\CurVer\ = "ActiveSkin4.Skin.1"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{750FC67C-0311-4391-9864-A2EFED49BD28}\ProxyStubClsid32	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\ProgID\ = "ActiveSkin4.Skin.1"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC22770D-3343-4C56-8A8D-3E560475F655}\InprocServer32\ThreadingModel = "Apartment"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel\CurVer	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C406F816-318D-4F7D-81CB-BA93CA7B70D5}\InprocServer32	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3FC950C-7583-4377-BAD8-EFBEAA33273C}\ProxyStubClsid32	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5954EA75-9BFA-461A-BD34-CEA3A861FF19}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX1\\actskin4.ocx"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C406F816-318D-4F7D-81CB-BA93CA7B70D5}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX1\\actskin4.ocx"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C406F816-318D-4F7D-81CB-BA93CA7B70D5}\Implemented Categories\{010E0B1F-1A47-4D07-A83F-43A819E39CCF}	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBC73C94-337C-43CC-B52C-31EB9FA34013}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\VersionIndependentProgID	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3831331E-0D11-4716-871D-68F3B11D23C9}\InprocServer32\ThreadingModel = "Apartment"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B87799AF-2CE9-4DAA-93CF-65F002035369}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4921908C-7090-4D37-A6B3-FC447F08378A}	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC22770D-3343-4C56-8A8D-3E560475F655}\Implemented Categories\{010E0B1F-1A47-4D07-A83F-43A819E39CCF}	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3831331E-0D11-4716-871D-68F3B11D23C9}\ = "SkinRadio Object"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3FC950C-7583-4377-BAD8-EFBEAA33273C}\ProxyStubClsid32	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5704C37-40DA-49EF-904B-97E5F5F9B1C5}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52C01A76-19E2-4A50-AE8A-38FFBCCF9182}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4921908C-7090-4D37-A6B3-FC447F08378A}\ = "ISkinLabel"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4921908C-7090-4D37-A6B3-FC447F08378A}\TypeLib	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC22770D-3343-4C56-8A8D-3E560475F655}\Implemented Categories	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C406F816-318D-4F7D-81CB-BA93CA7B70D5}\TypeLib	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52C01A76-19E2-4A50-AE8A-38FFBCCF9182}	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5704C37-40DA-49EF-904B-97E5F5F9B1C5}\InprocServer32	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3831331E-0D11-4716-871D-68F3B11D23C9}\Implemented Categories\{010E0B1F-1A47-4D07-A83F-43A819E39CCF}	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5954EA75-9BFA-461A-BD34-CEA3A861FF19}\Version\ = "1.0"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4921908C-7090-4D37-A6B3-FC447F08378A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{52C01A76-19E2-4A50-AE8A-38FFBCCF9182}\InprocServer32	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBC73C94-337C-43CC-B52C-31EB9FA34013}\InprocServer32\ThreadingModel = "Apartment"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F3FC950C-7583-4377-BAD8-EFBEAA33273C}	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC22770D-3343-4C56-8A8D-3E560475F655}\InprocServer32	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.Skin.1\CLSID\ = "{0944D16C-D0F4-4389-982A-A085595A9EB3}"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5954EA75-9BFA-461A-BD34-CEA3A861FF19}\MiscStatus\1\ = "139665"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{750FC67C-0311-4391-9864-A2EFED49BD28}\TypeLib	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{750FC67C-0311-4391-9864-A2EFED49BD28}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DCD2BC5-8489-48AE-891F-90C8B2F19F56}\Implemented Categories	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\ProgID	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}\1.0	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3FC950C-7583-4377-BAD8-EFBEAA33273C}	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A506EF88-9EFC-4522-BFE1-A8E886A64D80}\InprocServer32\ThreadingModel = "Apartment"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin4.SkinLabel\CLSID\ = "{5954EA75-9BFA-461A-BD34-CEA3A861FF19}"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{750FC67C-0311-4391-9864-A2EFED49BD28}\ = "ISkin"	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0944D16C-D0F4-4389-982A-A085595A9EB3}\Programmable	crk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A5704C37-40DA-49EF-904B-97E5F5F9B1C5}\TypeLib	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}\1.0\FLAGS\ = "0"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C406F816-318D-4F7D-81CB-BA93CA7B70D5}\ = "SkinStatic Object"	crk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DCD2BC5-8489-48AE-891F-90C8B2F19F56}\TypeLib\ = "{90F3D7B3-92E7-44BA-B444-6A8E2A3BC375}"	crk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1932	SPUY.exe
Token: SeIncBasePriorityPrivilege	1932	SPUY.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1932	SPUY.exe
1932	SPUY.exe
1932	SPUY.exe
1932	SPUY.exe
1932	SPUY.exe
2296	sv.exe
2880	SVCHOST.EXE
2144	crk.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1932	1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe	30
PID 1996 wrote to memory of 1932	1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe	30
PID 1996 wrote to memory of 1932	1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe	30
PID 1996 wrote to memory of 1932	1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe	30
PID 1996 wrote to memory of 2888	1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2888	1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2888	1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe	31
PID 1996 wrote to memory of 2888	1996	9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe	31
PID 2888 wrote to memory of 2296	2888	Cópia de Cópia de TibiaBotNGCracker.exe	32
PID 2888 wrote to memory of 2296	2888	Cópia de Cópia de TibiaBotNGCracker.exe	32
PID 2888 wrote to memory of 2296	2888	Cópia de Cópia de TibiaBotNGCracker.exe	32
PID 2888 wrote to memory of 2296	2888	Cópia de Cópia de TibiaBotNGCracker.exe	32
PID 2296 wrote to memory of 2880	2296	sv.exe	33
PID 2296 wrote to memory of 2880	2296	sv.exe	33
PID 2296 wrote to memory of 2880	2296	sv.exe	33
PID 2296 wrote to memory of 2880	2296	sv.exe	33
PID 2296 wrote to memory of 604	2296	sv.exe	34
PID 2296 wrote to memory of 604	2296	sv.exe	34
PID 2296 wrote to memory of 604	2296	sv.exe	34
PID 2296 wrote to memory of 604	2296	sv.exe	34
PID 604 wrote to memory of 2144	604	save05.plc	35
PID 604 wrote to memory of 2144	604	save05.plc	35
PID 604 wrote to memory of 2144	604	save05.plc	35
PID 604 wrote to memory of 2144	604	save05.plc	35

C:\Users\Admin\AppData\Local\Temp\9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9af1276958721492f19d42ffd0358cba_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\28463\SPUY.exe
  "C:\Windows\system32\28463\SPUY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\Cópia de Cópia de TibiaBotNGCracker.exe
  "C:\Users\Admin\AppData\Local\Temp\Cópia de Cópia de TibiaBotNGCracker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\sv.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\WINDOWS\SVCHOST.EXE
      C:\WINDOWS\SVCHOST.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\save05.plc
      C:\Users\Admin\AppData\Local\Temp\RarSFX0\save05.plc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\crk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\crk.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cópia de Cópia de TibiaBotNGCracker.exe

Filesize
311KB

MD5
4f071b4ba9e1c26ea66cbec5d5486ab6

SHA1
b8539f9ba1d58453b0ba9936e0ecdeeb0cc79ef1

SHA256
6a20afbe295ba89eeceac4e4f815c8a1941803f601135e48e9d61b4a55dc062a

SHA512
021cf79efa3d004695b155cedccabbcf35ebac6fc0bb322dfccc21c08823f0ba34f125f9f93f86edde6bdee3fc84e38acd6934f2444f5654884e5bff67ae20f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sv.exe

Filesize
32KB

MD5
38347f5835c791fe0ec3497faf75a847

SHA1
dfd1dae2583f9f0401e391203e79827919708388

SHA256
167163b62617dcdb69c6a1cf0bd07c6b9de316e2d99a32f8d2f6ac9e9c9eb7b2

SHA512
4fbde1da19f106fb9fc3d6951930104c72030a0b3b5d8bac85834cbfe1244b855c5bac6284e2998f512543c8fc88176c4007f43485bfb7c494fddce14a29497f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\actskin4.ocx

Filesize
372KB

MD5
407c604d5499577d38c2f971e6902281

SHA1
f92e20ec70b6dd7d7bcbd75db8bb5f340d89cb55

SHA256
72b996fca5f843584333b3b9843806a590af6b1908d049ed2dcb2fbe54ff02bd

SHA512
e3d2bd95ece244fbafb6def535ed0acf3e269b631a883c45c7ed464e206d70ac85a6e23e2fb45a6279030c7f58864eda1a4cec6db2bc2e3ff0e815d1498428a8

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
b0b09699ea39c0107af1c0833f07c054

SHA1
b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

SHA256
be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

SHA512
55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Download Submit
C:\Windows\SysWOW64\28463\SPUY.001

Filesize
532B

MD5
519f9f30e7d5f3262b80caee1e94c002

SHA1
26082fb4e6d2982449c3c16eb2ca1eeea5f2c1a7

SHA256
8a9b8a912db30295696ae519c04f9c2a567e7a7934b97789833b77e5aa500cfb

SHA512
e56f97c5d9e5240e8953a24b87766ca86b15b38f24b874308e8d8fd665a224228f5f0236c6ec6181097a6b8555a6240b8c98f06990f86dd49c45681a0e65e20b

Download Submit
C:\Windows\SysWOW64\28463\SPUY.006

Filesize
7KB

MD5
e0fcfa7cad88d1a8a462cee6b06cf668

SHA1
a7e49078517abc929a6da261df06556c8f5a8cf0

SHA256
340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

SHA512
430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

Download Submit
C:\Windows\SysWOW64\28463\SPUY.007

Filesize
5KB

MD5
ca72cd485d116033f1b776903ce7ee0a

SHA1
85b0b73a75b0498f56200dd1a5cf0de5371e42a3

SHA256
e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

SHA512
8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

Download Submit
\Users\Admin\AppData\Local\Temp\@A361.tmp

Filesize
4KB

MD5
908f7f4b0cf93759447afca95cd84aa6

SHA1
d1903a49b211bcb4a460904019ee7441420aa961

SHA256
3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

SHA512
958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\save05.plc

Filesize
266KB

MD5
3f4f522fb5e1c047ab5fbae601828426

SHA1
00837fe2114de62150068f76b227b688a721085f

SHA256
ecdcbe1d308262a8094d69a73015d3553534d1e45c169f33c7537a879ca7edc8

SHA512
890fe8ad318b2c1674159a19899dfac661ef73e0cacf769efab94b03c73cf958fa5fd80d157673abb625fd88458d78f0c755395915301a73410e1530e9bbd58b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\crk.exe

Filesize
176KB

MD5
a5ecdb2a1dd6acf2a19200e9ef4144be

SHA1
b6ef0b37d34e5cfeac09abda493dcd49638d1de5

SHA256
302d338c993ed629a050eab03cd6959d97547ce9b5973b5db20f65da007fd1bf

SHA512
6151b5e1fe19e8551fc64301187523cc57090772de606580277e5d07aa559b0840d89974fe6b4368a80886c107e8ef8df95fbca3ee0f25d89f7b09b75a90708c

Download Submit
\Windows\SysWOW64\28463\SPUY.exe

Filesize
472KB

MD5
7ca78f42e7c88f01fb7fd88321b283ff

SHA1
8f6fb4e3f5b696cac4fd54490d5f8c1862d0bb6b

SHA256
2354f408b272232ea4bb74d17d22a4332b97f1003fb9bace174a9811f2b41729

SHA512
06e822f04a4657b492a485b5a542e5c8400060abf7e71020d17965fee11f1f7c0807e32b5f9426a4fb9b4d7dd05a68ae871e5fef0807e24204351ebe569eb4ca

Download Submit
memory/604-97-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1932-31-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1932-96-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2144-90-0x0000000000360000-0x00000000003BD000-memory.dmp

Filesize
372KB

Download
memory/2888-36-0x0000000077B0F000-0x0000000077B10000-memory.dmp

Filesize
4KB

Download
memory/2888-95-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads