Analysis
-
max time kernel
92s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2024 14:13
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7-20240903-en
General
-
Target
Install.exe
-
Size
623KB
-
MD5
a6a6d117db896ef94a55b8447f042287
-
SHA1
3054359e47098a2486cabd3497651e097a416fdc
-
SHA256
e13df26ff6cec13b9214d5913866a97f92b12993453452040239a8503c5ebd2a
-
SHA512
057279dada7162565d9dd72c0e1be121b9aa97f753f9eccc5e20381c599b43fc35b746b2c549c46341396449e79ed36dbee40264b977065f72ba7943fd6ec8cb
-
SSDEEP
12288:2EE2KG1pyiwMW8MVzoAbSvK4QL9QSnDE5R691w6MIAtaAnWkgeCb3bEn2zBPpnsc:C2VjwMqVzEC4cE5Raw6MIAEAWkNCg8gc
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral2/files/0x0031000000023b85-12.dat family_ardamax -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation Install.exe -
Executes dropped EXE 1 IoCs
pid Process 3420 TJOD.exe -
Loads dropped DLL 2 IoCs
pid Process 4324 Install.exe 3420 TJOD.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\28463 TJOD.exe File created C:\Windows\SysWOW64\28463\TJOD.001 Install.exe File created C:\Windows\SysWOW64\28463\TJOD.006 Install.exe File created C:\Windows\SysWOW64\28463\TJOD.007 Install.exe File created C:\Windows\SysWOW64\28463\TJOD.exe Install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TJOD.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3420 TJOD.exe Token: SeIncBasePriorityPrivilege 3420 TJOD.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3420 TJOD.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3420 TJOD.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3420 TJOD.exe 3420 TJOD.exe 3420 TJOD.exe 3420 TJOD.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4324 wrote to memory of 3420 4324 Install.exe 83 PID 4324 wrote to memory of 3420 4324 Install.exe 83 PID 4324 wrote to memory of 3420 4324 Install.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\28463\TJOD.exe"C:\Windows\system32\28463\TJOD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a55cbc0f0125b005ef369020b4c17806
SHA1010af3e2e84b337e91f5e0c791b01e1d527211ce
SHA25627cfe74936e4090aafbef07ee45725923f4b1243135e1e3a51e3385dbcd7b637
SHA51288e5f7905c86d73bc5af028f20c8bf49f700307926c5b92814c245abe08e9c35841116d428ddbd7b957b47ccc8980684c12608b6818e4b6c1c8c0d27d54a07be
-
Filesize
396B
MD532f5a0026d1e721bde434303b0deef89
SHA188411f51e42d2ecaa384df6ea974013c10c7ebb0
SHA25666aee5c905195c8431313f665827f6ae30bbf9d29d5355ae502caf77acdf92c5
SHA5127c315e3ef8c2f247baaddd6813ebd227096ef6a3e488287fdada6d0813ddb7ab9bb71ac7d4108f7b84b415e6ee8fdcba56e52d2d346f68f3a5174c2adc06b474
-
Filesize
8KB
MD5395bbef326fa5ad1216b23f5debf167b
SHA1aa4a7334b5a693b3f0d6f47b568e0d13a593d782
SHA2567c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1
SHA512dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679
-
Filesize
5KB
MD51b5e72f0ebd49cf146f9ae68d792ffe5
SHA11e90a69c12b9a849fbbac0670296b07331c1cf87
SHA2568f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e
SHA5126364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc
-
Filesize
912KB
MD56768ba61744862704760b66ce8f8fdd4
SHA1e86cbed8cf20c2a9c76219d0c434bc310ffb2392
SHA2564cf4bf2b7d2bb4215e255e1f2b1238ad989f3c8a98ebfd5cb033bccf32fedaa0
SHA512eadb56b633707724ef4f47f8b421b0f3b2afa5a9800fae030f81aefae483eed6b494da470278273f388c3ae346a33cbbfe742924d231dab1c9b42bbefaf95a61