ardamax | 61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
Size

505KB
MD5

e07b9e9eabe0c861ceead05b4d3c393c
SHA1

4552983c9df2cbb4aa31d878da3b1ab3ee428aca
SHA256

61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4
SHA512

07109101aea1b3217776e08210c7333a7b4d283cf2d434060dae593a8b82e9457a33a7ee87e817ac7ed8298eb716abbf0a01f8ad53f5a6eac2faf6bcac4d02be

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax Main Executable 4 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\28463\AWJH.exe	family_ardamax
\Windows\SysWOW64\28463\AWJH.exe	family_ardamax
C:\Windows\SysWOW64\28463\AWJH.exe	family_ardamax
C:\Windows\SysWOW64\28463\AWJH.exe	family_ardamax

Executes dropped EXE 1 IoCs

Processes:

AWJH.exe

pid process

1252 AWJH.exe

pid	process
1252	AWJH.exe

Loads dropped DLL 5 IoCs

Processes:

61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exeAWJH.exe

pid	process
1032	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
1032	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
1032	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
1252	AWJH.exe
1252	AWJH.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AWJH.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	AWJH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AWJH Agent = "C:\\Windows\\SysWOW64\\28463\\AWJH.exe"	AWJH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

Processes:

61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exeAWJH.exe

description	ioc	process
File created	C:\Windows\SysWOW64\28463\AWJH.001	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
File created	C:\Windows\SysWOW64\28463\AWJH.006	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
File created	C:\Windows\SysWOW64\28463\AWJH.007	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
File created	C:\Windows\SysWOW64\28463\AWJH.exe	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
File opened for modification	C:\Windows\SysWOW64\28463	AWJH.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AWJH.exe

description pid process

Token: 33 1252 AWJH.exe
Token: SeIncBasePriorityPrivilege 1252 AWJH.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AWJH.exe

pid process

1252 AWJH.exe
1252 AWJH.exe
1252 AWJH.exe
1252 AWJH.exe
1252 AWJH.exe

description	pid	process
Token: 33	1252	AWJH.exe
Token: SeIncBasePriorityPrivilege	1252	AWJH.exe

pid	process
1252	AWJH.exe
1252	AWJH.exe
1252	AWJH.exe
1252	AWJH.exe
1252	AWJH.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe

description	pid	process	target process
PID 1032 wrote to memory of 1252	1032	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe	AWJH.exe
PID 1032 wrote to memory of 1252	1032	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe	AWJH.exe
PID 1032 wrote to memory of 1252	1032	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe	AWJH.exe
PID 1032 wrote to memory of 1252	1032	61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe	AWJH.exe

C:\Users\Admin\AppData\Local\Temp\61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe
"C:\Users\Admin\AppData\Local\Temp\61623465831d4202e1c43e8b8180fa407fdea91c7826302ccae4216f07d7a0a4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\28463\AWJH.exe
"C:\Windows\system32\28463\AWJH.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1252

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe
Filesize
416KB

MD5
e0d6dcf917123c3b01804904afe14654

SHA1
559eec79c61aa1a9cbbb95ca509bad9f9fad226a

SHA256
afd6d7abbe378994509913652c26b97711818dcde1bc620ca37210abed502653

SHA512
c36907bf0ea2df54785fe94123996ce2c0ddaf1d27d624a25337850ca7f71d61831728e5dd25168c103e893d0f8a481700808f27b5cd3461c6431b6928820e90

Download Submit
C:\Windows\SysWOW64\28463\AWJH.001
Filesize
504B

MD5
013438f3f5e6d442068aa7351f966b34

SHA1
56e3b3cdb54c728c2f26cf1e6e138f3d5947a9bc

SHA256
93806b9e64ba253039e1d6021c5a98188ab2ccb060dd0b336e1c08491fc2840b

SHA512
7b4e60cf0b1dbdf9fed5928c5d9d44551f96f4a4401e6fd0595048ed5bd4556b22dc0cc3913d989bcbfc08c9ee0905c83b93cf8f66634a43e6109ac55d9e5d58

Download Submit
C:\Windows\SysWOW64\28463\AWJH.006
Filesize
8KB

MD5
315504430c5af82495fb4d568e3b4d68

SHA1
828f9aafc692ad9e14bb6c21e2375074a2d2f70a

SHA256
ae2ffedba57333a174c82ea96eb3138b87cda18c9a4d725576a49d1f0257a3a8

SHA512
3c4f5db37c5c69a323e5ca79d66dd064be51e66239fbd33d09d918ba509d1aa3d81ac2af8db06f36ea4ece8ce8e4b34da25e9abeff03256078e15e35f1136c94

Download Submit
C:\Windows\SysWOW64\28463\AWJH.007
Filesize
5KB

MD5
b6d72867826e2f2b65a429f47c7c9064

SHA1
2408cf4a32bfb17d0512e09d0371922069fc2eb2

SHA256
7680db19d355a0df6b28a75f01acda61084af247ebc73b4816668ff22c0c3017

SHA512
6bdfe3c06d1ea86f3f1167e5e71e78f951386ac54b9067da88811bc36e3cfe28b55647c81b7e80e770fae5a32fc48e384c4f112f8c6ae99211345830345b7234

Download Submit
C:\Windows\SysWOW64\28463\AWJH.exe
Filesize
540KB

MD5
dcf2ea033e19787b8d51f68906db222c

SHA1
cba5862bc65604ad41084ad1acee16748145bb44

SHA256
c551d2d7f4b20f04b48821c086fa75842f364e4910f5022e7179451913fadce3

SHA512
ab1e95de35d0ee841f8e204ec9b480cd9cabaa811139bbf770086f81add257c67d12e0c0ae12a47efd1c3ca6dc93ea26a1b17ad64283d84cb08901d44942c2be

Download Submit
C:\Windows\SysWOW64\28463\AWJH.exe
Filesize
540KB

MD5
dcf2ea033e19787b8d51f68906db222c

SHA1
cba5862bc65604ad41084ad1acee16748145bb44

SHA256
c551d2d7f4b20f04b48821c086fa75842f364e4910f5022e7179451913fadce3

SHA512
ab1e95de35d0ee841f8e204ec9b480cd9cabaa811139bbf770086f81add257c67d12e0c0ae12a47efd1c3ca6dc93ea26a1b17ad64283d84cb08901d44942c2be

Download Submit
\Users\Admin\AppData\Local\Temp\@E503.tmp
Filesize
4KB

MD5
cbfaf9948594946d4921a261fe5c3e40

SHA1
e4943ed1144bb62c1048852275a843af1b4970a6

SHA256
e257d3a598449605f269ace371b27c675466f6410efe12f4bab2ca38d24a0f4e

SHA512
9ee932f3de9e02245cef9d6df4d094a1bd9d4691d8ffe0d26b8983b427fa9a71fc14c3e56f5e1894c57a5734d1c42593ce5137f19c3d607afc2a3fcf7db5672d

Download Submit
\Windows\SysWOW64\28463\AWJH.006
Filesize
8KB

MD5
315504430c5af82495fb4d568e3b4d68

SHA1
828f9aafc692ad9e14bb6c21e2375074a2d2f70a

SHA256
ae2ffedba57333a174c82ea96eb3138b87cda18c9a4d725576a49d1f0257a3a8

SHA512
3c4f5db37c5c69a323e5ca79d66dd064be51e66239fbd33d09d918ba509d1aa3d81ac2af8db06f36ea4ece8ce8e4b34da25e9abeff03256078e15e35f1136c94

Download Submit
\Windows\SysWOW64\28463\AWJH.007
Filesize
5KB

MD5
b6d72867826e2f2b65a429f47c7c9064

SHA1
2408cf4a32bfb17d0512e09d0371922069fc2eb2

SHA256
7680db19d355a0df6b28a75f01acda61084af247ebc73b4816668ff22c0c3017

SHA512
6bdfe3c06d1ea86f3f1167e5e71e78f951386ac54b9067da88811bc36e3cfe28b55647c81b7e80e770fae5a32fc48e384c4f112f8c6ae99211345830345b7234

Download Submit
\Windows\SysWOW64\28463\AWJH.exe
Filesize
540KB

MD5
dcf2ea033e19787b8d51f68906db222c

SHA1
cba5862bc65604ad41084ad1acee16748145bb44

SHA256
c551d2d7f4b20f04b48821c086fa75842f364e4910f5022e7179451913fadce3

SHA512
ab1e95de35d0ee841f8e204ec9b480cd9cabaa811139bbf770086f81add257c67d12e0c0ae12a47efd1c3ca6dc93ea26a1b17ad64283d84cb08901d44942c2be

Download Submit
\Windows\SysWOW64\28463\AWJH.exe
Filesize
540KB

MD5
dcf2ea033e19787b8d51f68906db222c

SHA1
cba5862bc65604ad41084ad1acee16748145bb44

SHA256
c551d2d7f4b20f04b48821c086fa75842f364e4910f5022e7179451913fadce3

SHA512
ab1e95de35d0ee841f8e204ec9b480cd9cabaa811139bbf770086f81add257c67d12e0c0ae12a47efd1c3ca6dc93ea26a1b17ad64283d84cb08901d44942c2be

Download Submit
memory/1032-55-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1252-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads