ardamax | d63f81c698728558b74e71149a866d253b9ef8aa65b8dae39db2accadb8654f5

Analysis

max time kernel
142s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
Size

2.3MB
MD5

35b9ec998fd52b4ffeacdc71d1bb134d
SHA1

38cd8c287085af6512e0c20ca8088e8d129d01c4
SHA256

d63f81c698728558b74e71149a866d253b9ef8aa65b8dae39db2accadb8654f5
SHA512

62948b5abe013f95e75235d3e3a7e3be18643ae1cca0a1aa65bf113d936fde3c1b19303989e865595741ef795569ad33072235801c3424c0f099cfdb197a9eb5
SSDEEP

49152:NZNfQzcYsgSMBVjILrhnNOagwyegGonPh7CXSHB:NZN44YBVjIfhnQagwyegGc7CCHB

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001939f-85.dat	family_ardamax

Executes dropped EXE 5 IoCs

pid	Process
2572	P®OßOT™.EXE
2608	RUNDLL.EXE
776	P®oßot™.exe
1012	Install.exe
2348	EGBE.exe

Loads dropped DLL 23 IoCs

pid	Process
2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
2608	RUNDLL.EXE
2572	P®OßOT™.EXE
2572	P®OßOT™.EXE
2572	P®OßOT™.EXE
776	P®oßot™.exe
1012	Install.exe
1012	Install.exe
1012	Install.exe
1012	Install.exe
1012	Install.exe
2348	EGBE.exe
2348	EGBE.exe
2348	EGBE.exe
2348	EGBE.exe
2348	EGBE.exe
2608	RUNDLL.EXE
776	P®oßot™.exe
2608	RUNDLL.EXE
776	P®oßot™.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll = "\"C:\\Users\\Admin\\AppData\\Roaming\\rundll.exe \""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EGBE Agent = "C:\\Windows\\SysWOW64\\28463\\EGBE.exe"	EGBE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\EGBE.001	Install.exe
File created	C:\Windows\SysWOW64\28463\EGBE.006	Install.exe
File created	C:\Windows\SysWOW64\28463\EGBE.007	Install.exe
File created	C:\Windows\SysWOW64\28463\EGBE.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	EGBE.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012117-54.dat	upx
behavioral1/memory/776-63-0x0000000000400000-0x0000000000474000-memory.dmp	upx
behavioral1/memory/776-115-0x0000000000400000-0x0000000000474000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\P®oßot™.exe	P®OßOT™.EXE
File opened for modification	C:\Windows\system\Install.exe	P®OßOT™.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P®OßOT™.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	P®oßot™.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EGBE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNDLL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\ = "Koboz.Jicihok"	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\Programmable	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\FLAGS\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\Version\ = "1.0"	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\0\	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\FLAGS	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\Version\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\ProgID\	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\ProgID	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\FLAGS\ = "0"	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\HELPDIR	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\TypeLib	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll"	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\VersionIndependentProgID	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\Version	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\InprocServer32\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\ = "Groove XML Element Type Library"	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\32"	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\HELPDIR\	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\Implemented Categories	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\InprocServer32	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\0\win32\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\Implemented Categories\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\Programmable\	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\0	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\TypeLib\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\VersionIndependentProgID\	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\VersionIndependentProgID\ = "MSVidCtl.MSVidFeatures"	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\ProgID\ = "MSVidCtl.MSVidFeatures.1"	EGBE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0D0B96A-93B0-4449-7FAC-076B04ECC062}\TypeLib\ = "{98DB969C-8AC2-F71A-0A0F-B7384C659280}"	EGBE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{98DB969C-8AC2-F71A-0A0F-B7384C659280}\1.0\0\win32	EGBE.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2052	reg.exe
2204	reg.exe
2208	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
2608	RUNDLL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2348	EGBE.exe
Token: SeIncBasePriorityPrivilege	2348	EGBE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2608	RUNDLL.EXE
2572	P®OßOT™.EXE
776	P®oßot™.exe
2348	EGBE.exe
2348	EGBE.exe
2348	EGBE.exe
2348	EGBE.exe
2348	EGBE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2648	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	29
PID 2812 wrote to memory of 2648	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	29
PID 2812 wrote to memory of 2648	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	29
PID 2812 wrote to memory of 2648	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	29
PID 2812 wrote to memory of 2568	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	30
PID 2812 wrote to memory of 2568	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	30
PID 2812 wrote to memory of 2568	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	30
PID 2812 wrote to memory of 2568	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	30
PID 2812 wrote to memory of 2572	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	33
PID 2812 wrote to memory of 2572	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	33
PID 2812 wrote to memory of 2572	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	33
PID 2812 wrote to memory of 2572	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	33
PID 2812 wrote to memory of 2452	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	34
PID 2812 wrote to memory of 2452	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	34
PID 2812 wrote to memory of 2452	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	34
PID 2812 wrote to memory of 2452	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	34
PID 2812 wrote to memory of 2608	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	36
PID 2812 wrote to memory of 2608	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	36
PID 2812 wrote to memory of 2608	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	36
PID 2812 wrote to memory of 2608	2812	JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe	36
PID 2568 wrote to memory of 1364	2568	cmd.exe	37
PID 2568 wrote to memory of 1364	2568	cmd.exe	37
PID 2568 wrote to memory of 1364	2568	cmd.exe	37
PID 2568 wrote to memory of 1364	2568	cmd.exe	37
PID 2648 wrote to memory of 2900	2648	cmd.exe	38
PID 2648 wrote to memory of 2900	2648	cmd.exe	38
PID 2648 wrote to memory of 2900	2648	cmd.exe	38
PID 2648 wrote to memory of 2900	2648	cmd.exe	38
PID 2900 wrote to memory of 2052	2900	cmd.exe	39
PID 2900 wrote to memory of 2052	2900	cmd.exe	39
PID 2900 wrote to memory of 2052	2900	cmd.exe	39
PID 2900 wrote to memory of 2052	2900	cmd.exe	39
PID 2452 wrote to memory of 2084	2452	cmd.exe	40
PID 2452 wrote to memory of 2084	2452	cmd.exe	40
PID 2452 wrote to memory of 2084	2452	cmd.exe	40
PID 2452 wrote to memory of 2084	2452	cmd.exe	40
PID 1364 wrote to memory of 2208	1364	cmd.exe	41
PID 1364 wrote to memory of 2208	1364	cmd.exe	41
PID 1364 wrote to memory of 2208	1364	cmd.exe	41
PID 1364 wrote to memory of 2208	1364	cmd.exe	41
PID 2084 wrote to memory of 2204	2084	cmd.exe	42
PID 2084 wrote to memory of 2204	2084	cmd.exe	42
PID 2084 wrote to memory of 2204	2084	cmd.exe	42
PID 2084 wrote to memory of 2204	2084	cmd.exe	42
PID 2572 wrote to memory of 776	2572	P®OßOT™.EXE	43
PID 2572 wrote to memory of 776	2572	P®OßOT™.EXE	43
PID 2572 wrote to memory of 776	2572	P®OßOT™.EXE	43
PID 2572 wrote to memory of 776	2572	P®OßOT™.EXE	43
PID 776 wrote to memory of 1792	776	P®oßot™.exe	44
PID 776 wrote to memory of 1792	776	P®oßot™.exe	44
PID 776 wrote to memory of 1792	776	P®oßot™.exe	44
PID 776 wrote to memory of 1792	776	P®oßot™.exe	44
PID 776 wrote to memory of 1792	776	P®oßot™.exe	44
PID 776 wrote to memory of 1792	776	P®oßot™.exe	44
PID 776 wrote to memory of 1792	776	P®oßot™.exe	44
PID 776 wrote to memory of 1028	776	P®oßot™.exe	45
PID 776 wrote to memory of 1028	776	P®oßot™.exe	45
PID 776 wrote to memory of 1028	776	P®oßot™.exe	45
PID 776 wrote to memory of 1028	776	P®oßot™.exe	45
PID 776 wrote to memory of 1028	776	P®oßot™.exe	45
PID 776 wrote to memory of 1028	776	P®oßot™.exe	45
PID 776 wrote to memory of 1028	776	P®oßot™.exe	45
PID 776 wrote to memory of 1592	776	P®oßot™.exe	46
PID 776 wrote to memory of 1592	776	P®oßot™.exe	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35b9ec998fd52b4ffeacdc71d1bb134d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2208
- C:\Users\Admin\AppData\Roaming\P®OßOT™.EXE
  "C:\Users\Admin\AppData\Roaming\P®OßOT™.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system\P®oßot™.exe
    C:\Windows\system\P®oßot™.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s TABCTL32.OCX
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s MSINET.OCX
      4⤵
      System Location Discovery: System Language Discovery
      PID:1028
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe /s MSWINSCK.OCX
      4⤵
      System Location Discovery: System Language Discovery
      PID:1592
- - C:\Windows\system\Install.exe
    C:\Windows\system\Install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1012
  - - C:\Windows\SysWOW64\28463\EGBE.exe
      "C:\Windows\system32\28463\EGBE.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\syscheck.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V rundll /D "\"C:\Users\Admin\AppData\Roaming\rundll.exe \"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2204
- C:\Users\Admin\AppData\Roaming\RUNDLL.EXE
  "C:\Users\Admin\AppData\Roaming\RUNDLL.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\syscheck.bat

Filesize
150B

MD5
1265b09eaea9e3c69fe1f6a4e8b00e6e

SHA1
44face1bde83d56e9d8906c6661a7fae05e330c6

SHA256
9f67284e85933ba4412c4ab49c0638af67b6ee4db37f7c8d91bff97823dc6068

SHA512
30574540682fb600fba844cf1e9b11205c3ac2eb64cfc661a07b8782938715ca4ccdd3ec5fcd2c0f18e34f2678c374adeca6f180ba792ce36826940b7188a57a

Download Submit
C:\Users\Admin\AppData\Roaming\P®OßOT™.exe

Filesize
895KB

MD5
37f0d5b41679b7cf9d488f857c5d2895

SHA1
8a2e857bc69977321375b4992937865a226b6858

SHA256
db8e5c5ece4dff522a1c89e669ebac40686856f2429745ab1c0bad8493325599

SHA512
5c33e600435c138af0169e123b646004c5efd93229dde9c5abcbe2409e23b4c46465d7a0d4f282caccd0cc88942b9f7c62578d69054da7a72791181b5e2660eb

Download Submit
C:\Users\Admin\AppData\Roaming\rundll.exe

Filesize
596KB

MD5
9df6bb3812221a1537b779eaf8378c0b

SHA1
a4548e13d0874fc7b408f28b2138979e8123f8dc

SHA256
bb1da669d97dfbc4dfdada3f8e79643f68ecf5317fe7006b9d739691bf411166

SHA512
baf64ce867039ccf7e3a6e21559daf5153671ba81059ccff3b909610a285d73e6ea9320c688cddc84314142e5e2875d069f4c0cb0f6cd42436f7fba2b30a8cf2

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
bf3f029b48698972471caaa7e9cea759

SHA1
304ef8b5c72bf95e5d3efa18e5587c6d9cacfd15

SHA256
2f55fb7d6318f940c208276c25d63d7a7a8406da1c82f51305f1ce6381ac1aa5

SHA512
0fcc2c42ba1cf816152f1e116789c615956024b58a06a985c79ac9b71fa10dc232a5c4210f18f4d3a70730454cbdc2b3da56d24e4da207d58ce2446424b68d00

Download Submit
C:\Windows\SysWOW64\28463\EGBE.001

Filesize
444B

MD5
ec90328732d806928db4a781505b1772

SHA1
0e3f49648654990e0d358431b31cb291da970398

SHA256
1915e182924731fc8a2f337e1bd3857e1d765b6f2c9bb829f8b6fe934d51d6d9

SHA512
789731e6225f0484739328524c6fcf1015e289f09a141952b1a4792e95fa60aab9e09acafc4ffc34b3298b5c744fb5363aa1c7da96a30d43fb9d71319b10e1b6

Download Submit
C:\Windows\SysWOW64\28463\EGBE.006

Filesize
8KB

MD5
5153b016d36928c296131c5c8e669446

SHA1
c444f61a2dc49ede6a2325f26d76af66de5989d2

SHA256
4c52ec0d5d4cad21ed134af76f64c3cb44b826594641f44487e4625f5bc96f59

SHA512
c9084ff30f1f023b1f9cd00dc66cdbf846e95993093163c3e71a13535ccfc79d59be5b28a78ccfa6b0a82389b08b157676d71a9ccca2c170369080feac386f09

Download Submit
C:\Windows\SysWOW64\28463\EGBE.007

Filesize
5KB

MD5
80bbc7ace13d97396bd7b1abbaf4008b

SHA1
d013c0def603915675b1e0ce5877d413cdaf6523

SHA256
18dbfb27d4b10501e8426db1a78df8247f6570656d183f78b061d7db4c7865ae

SHA512
bc7afd0e730f432852d374812827077574181928aa97c25d8170ce1b766677383360bf2bb21afc51e8168eb3f6539ce8499c4002d86190f27d4836da3f907919

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@F872.tmp

Filesize
4KB

MD5
557e0039dc13a0453af7ca9373a0d301

SHA1
50efb19b1b1eddd10ddb4c2ff23d18cccba92dfe

SHA256
54850e4c8644c042b15dab73a15135105ff84a240d26d1476c8b80d176a341fc

SHA512
d96fdc89ddbcd8459966c9548d3243a0fa319f8be2f418b4e17f313fb3f86d32dd7f254a035641f35e35ed849832773c0d1fe34ff362761309c64e959c025a98

Download Submit
\Users\Admin\AppData\Roaming\ntldr.dll

Filesize
417KB

MD5
e2b7786a6f66cdff399e0ab0c7a2bb3c

SHA1
ebf01463a279bed4da2d77e37cef3b4f54a90318

SHA256
7c1b080ad1eea14bdf2a8324b85c86cc98d8371b86a0079b52e87294f75751bf

SHA512
e169a369af1df7e7e5083d37eb6e4f156d70aaca8f1946412c46f26d07126998c71c1e5d8250a0d591a5cf05dd881875fec2660f73bd1fe9ab34c7ab2846daf1

Download Submit
\Windows\SysWOW64\28463\EGBE.exe

Filesize
648KB

MD5
5530832fa82582288ce640f73a4915a0

SHA1
c40673ed59a61dd3b39f8ed6d0e1345838d98e44

SHA256
6f7daff3caf7f24a00e08e4ed414b4d23e13d2cac4657ad7a071d9cbeb42cb88

SHA512
ee2a2dc3c85a13b39f15a276f842afab8d341aacb457c1750b8bf0fa46b03a3bfabeff5be6439f3edf2c428d504ecabf07a399ebbdb09a75693309b55903775c

Download Submit
\Windows\system\Install.exe

Filesize
785KB

MD5
47a9a19c2b673867a3ad2518e09b9a12

SHA1
0f9c631eed1495fd510448381ff21c91505bac6f

SHA256
dddb5e3c08d8d1547dea9a9213d4ea7a05f4a6fa27119e681baac062563c8f93

SHA512
b87d7426ae12ededb615bb0654b59c37b2ae5df1bdf578cafdeccf6623ce62d0e9543f7dacc46c6c227dc6738a0df957d0f4004e4305f28ab8a09c1a697ec40c

Download Submit
\Windows\system\P®oßot™.exe

Filesize
78KB

MD5
13ef400e4c4c93cca3e7f03ce713a2ba

SHA1
bb773488ce128bc95607df5f6521c68908a38e43

SHA256
1bbf69b51ae2dce863dccfe00a283b74c10d3d5e62416a1cd621dd66f9868288

SHA512
13d4067adfc9c43df8dd60b82b4ef15fd27eb030c1d4d53fe53aa3b74a8e3a73a21cc79956d50ef7e7cdf6424cb18bb196caaeb166373bc266662a776baf5ea0

Download Submit
memory/776-115-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/776-69-0x0000000002730000-0x000000000279E000-memory.dmp

Filesize
440KB

Download
memory/776-63-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/776-114-0x0000000002730000-0x000000000279E000-memory.dmp

Filesize
440KB

Download
memory/1012-89-0x0000000002910000-0x00000000029EF000-memory.dmp

Filesize
892KB

Download
memory/2348-108-0x0000000004D60000-0x0000000004DCE000-memory.dmp

Filesize
440KB

Download
memory/2348-116-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2348-98-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2348-99-0x0000000000300000-0x00000000003DF000-memory.dmp

Filesize
892KB

Download
memory/2348-97-0x0000000000300000-0x00000000003DF000-memory.dmp

Filesize
892KB

Download
memory/2348-131-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2348-120-0x0000000004D60000-0x0000000004DCE000-memory.dmp

Filesize
440KB

Download
memory/2572-56-0x0000000002020000-0x0000000002094000-memory.dmp

Filesize
464KB

Download
memory/2572-61-0x0000000002020000-0x0000000002094000-memory.dmp

Filesize
464KB

Download
memory/2608-49-0x0000000000220000-0x000000000028E000-memory.dmp

Filesize
440KB

Download
memory/2608-118-0x0000000000220000-0x000000000028E000-memory.dmp

Filesize
440KB

Download
memory/2608-117-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2608-121-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2812-44-0x0000000000400000-0x0000000000654000-memory.dmp

Filesize
2.3MB

Download
memory/2812-1-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download