ardamax | 4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
Size

785KB
MD5

67904ceebc2d60baafb73f3c119e9be1
SHA1

b85396b8a67fb469fa001a1070bbb0ba90f9607e
SHA256

4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469
SHA512

b0c58bd6e94b444714b64b667a7342800c06d188c20f627acbc33ef5531baec0e3c6b3cf5a3c102b0f2be1fdb5661a7418407f7a4d18f746d04bf830c463cafe
SSDEEP

12288:JEXQ9t3S0sq3tz4ekl996E4iISTf9i4eQoEpTHbUERQziIvBo+dC6F8APV0lJqjC:kCt3XER99lf6QoEp7bKznBvM6v+lY2

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\28463\TRSN.exe	family_ardamax
C:\Windows\SysWOW64\28463\TRSN.exe	family_ardamax

Executes dropped EXE 1 IoCs

Processes:

TRSN.exe

pid process

2556 TRSN.exe

pid	process
2556	TRSN.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe

Loads dropped DLL 4 IoCs

Processes:

4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exeTRSN.exe

pid process

3592 4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
2556 TRSN.exe
2556 TRSN.exe
2556 TRSN.exe

pid	process
3592	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
2556	TRSN.exe
2556	TRSN.exe
2556	TRSN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TRSN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TRSN Agent = "C:\\Windows\\SysWOW64\\28463\\TRSN.exe"	TRSN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

Processes:

TRSN.exe4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\28463	TRSN.exe
File opened for modification	C:\Windows\SysWOW64\28463\TRSN.009	TRSN.exe
File created	C:\Windows\SysWOW64\28463\TRSN.006	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
File created	C:\Windows\SysWOW64\28463\TRSN.007	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
File created	C:\Windows\SysWOW64\28463\TRSN.exe	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
File created	C:\Windows\SysWOW64\28463\TRSN.001	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
File created	C:\Windows\SysWOW64\28463\key.bin	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
File created	C:\Windows\SysWOW64\28463\TRSN.009	TRSN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 37 IoCs

Processes:

TRSN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\Version\ = "1.0"	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\ = "Genesis Teletext Server 1.0 Type Library"	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\0\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\TypeLib\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\Programmable\	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\TypeLib	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\TypeLib\ = "{47BC5709-26EA-C849-84C8-69A6A071472E}"	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\FLAGS\ = "0"	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\Version\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\InprocServer32\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\ProgID\	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\0	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\FLAGS	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\VersionIndependentProgID\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\Control\	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\InprocServer32	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\0\win32\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\FLAGS\	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\HELPDIR	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\HELPDIR\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\InprocServer32\ = "C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesX86\\Microsoft Office\\Office16\\Interceptor.dll"	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\ProgID	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\ProgID\ = "CommunicatorMeetingJoinAx.JoinManager.2"	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\Programmable	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\VersionIndependentProgID	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\VersionIndependentProgID\ = "CommunicatorMeetingJoinAx.JoinManager"	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\WSTPager.ax"	TRSN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\ = "Eboja Lotalo Qodefcax class"	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\Control	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{47BC5709-26EA-C849-84C8-69A6A071472E}\1.0\0\win32	TRSN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AD33560F-7BEA-4444-BDAD-EDF288CE4513}\Version	TRSN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TRSN.exe

description pid process

Token: 33 2556 TRSN.exe
Token: SeIncBasePriorityPrivilege 2556 TRSN.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

TRSN.exe

pid process

2556 TRSN.exe
2556 TRSN.exe
2556 TRSN.exe
2556 TRSN.exe
2556 TRSN.exe

description	pid	process
Token: 33	2556	TRSN.exe
Token: SeIncBasePriorityPrivilege	2556	TRSN.exe

pid	process
2556	TRSN.exe
2556	TRSN.exe
2556	TRSN.exe
2556	TRSN.exe
2556	TRSN.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe

description	pid	process	target process
PID 3592 wrote to memory of 2556	3592	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe	TRSN.exe
PID 3592 wrote to memory of 2556	3592	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe	TRSN.exe
PID 3592 wrote to memory of 2556	3592	4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe	TRSN.exe

C:\Users\Admin\AppData\Local\Temp\4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe
"C:\Users\Admin\AppData\Local\Temp\4427053e2df1e1c9cb7ef7b3131c097d2676d279805c9e620053d19efe1c6469.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\28463\TRSN.exe
"C:\Windows\system32\28463\TRSN.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@E2C3.tmp
Filesize
4KB

MD5
ccf39f70a662f70e7cae4cfc81255c44

SHA1
00177d41252c2a5322be8e54567a845217072e2c

SHA256
4c9cca81f2f2d91b636c0ec747e96821749788368c48981bf04accfeb5c2e5d0

SHA512
2cc006d3bd6af737f31707b457caaa267ee1361cfd0afab0be8b74be8587d02b20909962d138e137fe79252e0d112bd3be091a98ba50863520b5bbf21bb9501d

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe
Filesize
457KB

MD5
828586f5f9fd7e6bd99401fe7cece954

SHA1
8eb70f4af2cec3c3dd3ec1491913369e99b7b874

SHA256
02b8379b1838ea70f7f17e0785aaaedb7c721d9b6e262577723bba9492748d0c

SHA512
16b64be59cf9ae403fb3b7e1fc8da98cb2a5db84aef0e352910172796ecf96dcf86a7e16afe78fa7e22b7b6948e8a1fa027da7161d5a0ad98e76175d764ed6a7

Download Submit
C:\Windows\SysWOW64\28463\TRSN.001
Filesize
488B

MD5
c16f32e8851d1934a18b4650c3e7bd37

SHA1
3fa36e14ad3a0cfde4505377f669bd0955711ab6

SHA256
7790e231564be65367df557a7613f104b0be952b5fa2b29757102e534926554a

SHA512
af15700df3fef6ab8ba29fbc65a0cde90db30f43033643a8647514cf05c4eeba170a0815b3134892fab839e20e8dd8f5f7a3664de851ab090985f1aced73e868

Download Submit
C:\Windows\SysWOW64\28463\TRSN.006
Filesize
8KB

MD5
69db8c925f2dd8136d956a086ed1ee41

SHA1
9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

SHA256
984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

SHA512
fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

Download Submit
C:\Windows\SysWOW64\28463\TRSN.006
Filesize
8KB

MD5
69db8c925f2dd8136d956a086ed1ee41

SHA1
9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

SHA256
984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

SHA512
fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

Download Submit
C:\Windows\SysWOW64\28463\TRSN.007
Filesize
5KB

MD5
9e9da4c851850726c789bb4b94a41bb3

SHA1
1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

SHA256
94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

SHA512
4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

Download Submit
C:\Windows\SysWOW64\28463\TRSN.007
Filesize
5KB

MD5
9e9da4c851850726c789bb4b94a41bb3

SHA1
1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

SHA256
94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

SHA512
4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

Download Submit
C:\Windows\SysWOW64\28463\TRSN.007
Filesize
5KB

MD5
9e9da4c851850726c789bb4b94a41bb3

SHA1
1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

SHA256
94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

SHA512
4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

Download Submit
C:\Windows\SysWOW64\28463\TRSN.exe
Filesize
648KB

MD5
c5ca2c96edc99cf9edf0f861d784209a

SHA1
6cb654b3eb20c85224a4849c4cc30012cabbdbaa

SHA256
0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

SHA512
aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

Download Submit
C:\Windows\SysWOW64\28463\TRSN.exe
Filesize
648KB

MD5
c5ca2c96edc99cf9edf0f861d784209a

SHA1
6cb654b3eb20c85224a4849c4cc30012cabbdbaa

SHA256
0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

SHA512
aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

Download Submit
C:\Windows\SysWOW64\28463\key.bin
Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/2556-137-0x0000000002300000-0x000000000235A000-memory.dmp

Filesize
360KB

Download
memory/2556-139-0x0000000003310000-0x0000000003313000-memory.dmp

Filesize
12KB

Download
memory/2556-136-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-133-0x0000000000000000-mapping.dmp

Download
memory/2556-147-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-148-0x0000000002300000-0x000000000235A000-memory.dmp

Filesize
360KB

Download