ardamax | a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1

General

Target

a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe
Size

2.0MB
MD5

69adfc0b2b9af7ebd3f687cd6e01216f
SHA1

2a6a6d8301ac7e02f7036098b06796609894fdc2
SHA256

a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1
SHA512

7df1d6b790627f1feb8913abb27b45154e266cbbe18b53d5a380f6cd1687c41e26f3c0b506eff93226af14f53808534335d816e248ffa63c1115481329e1bcbf
SSDEEP

49152:JkR2Q4SuHEuRwT0RU2ILRU9JnOsmU+yWRw:RSqa69JnOsmU+bR

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Executes dropped EXE 1 IoCs

Processes:

OAD.exe

pid process

1012 OAD.exe
Loads dropped DLL 2 IoCs

Processes:

a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exeOAD.exe

pid process

2028 a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe
1012 OAD.exe

pid	process
1012	OAD.exe

pid	process
2028	a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe
1012	OAD.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

OAD.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	OAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OAD Start = "C:\\ProgramData\\NWHPQU\\OAD.exe"	OAD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

OAD.exe

pid process

1012 OAD.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OAD.exe

pid process

1012 OAD.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OAD.exe

pid process

1012 OAD.exe
1012 OAD.exe
1012 OAD.exe
1012 OAD.exe
1012 OAD.exe

pid	process
1012	OAD.exe

pid	process
1012	OAD.exe

pid	process
1012	OAD.exe
1012	OAD.exe
1012	OAD.exe
1012	OAD.exe
1012	OAD.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe

description	pid	process	target process
PID 2028 wrote to memory of 1012	2028	a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe	OAD.exe
PID 2028 wrote to memory of 1012	2028	a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe	OAD.exe
PID 2028 wrote to memory of 1012	2028	a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe	OAD.exe
PID 2028 wrote to memory of 1012	2028	a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe	OAD.exe

C:\Users\Admin\AppData\Local\Temp\a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe
"C:\Users\Admin\AppData\Local\Temp\a7d0ad00cf674af014f654e9c10452a1fa7a2673beebf9c4a50d700c64912ae1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\ProgramData\NWHPQU\OAD.exe
"C:\ProgramData\NWHPQU\OAD.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\NWHPQU\OAD.00
Filesize
2KB

MD5
6db4e712b1303e6f44ee5853458c2ecb

SHA1
7d4c75c754017df791f380c96d1128c1e348ba3d

SHA256
59897c00541624af593e53a1290d2c6718554d3cee9ab050ab0643cf3b7782cf

SHA512
1a54c30337bf7591dd16b4a8c003db01547077e463ceee4daaf51494544aceeb17cbdda12d20d96f73beb373b5750378987a928194964c088b2de87f3e378be6

Download Submit
C:\ProgramData\NWHPQU\OAD.01
Filesize
81KB

MD5
0402b2d80b4b60fff57d270f03160e0f

SHA1
9311e436ba9147f7976db3193831b049cd7769b8

SHA256
06cdf7f19f1766fd6118c3edc1ff658f135228d2106a7d83e2dba4ed52c9ef29

SHA512
f1bc9d39b978b1fb6d14466ba4b9ce4a18bbc8cbe98427ba1539362b3f3ee9add49788cf6c99aa4b0251911258173fefaee83399dc5af5623b0587356e23ed23

Download Submit
C:\ProgramData\NWHPQU\OAD.exe
Filesize
2.4MB

MD5
831663dde03a14a183c9670a92ac1fc1

SHA1
b63901a572c7ab77d69bf0ced7b7b8e98b90a3fe

SHA256
d3057290e218a6df2c4cfd00b8cd24912423d5a74d419d77504fdb2b49aed77b

SHA512
70b036f9f22835a45d61dcb24efafee580485eb9e8c75215cf8eb99d4100e3cacfdd9782027358abdc0d711adec939f7e139f3bc6981a905457663cf94a22f13

Download Submit
\ProgramData\NWHPQU\OAD.01
Filesize
81KB

MD5
0402b2d80b4b60fff57d270f03160e0f

SHA1
9311e436ba9147f7976db3193831b049cd7769b8

SHA256
06cdf7f19f1766fd6118c3edc1ff658f135228d2106a7d83e2dba4ed52c9ef29

SHA512
f1bc9d39b978b1fb6d14466ba4b9ce4a18bbc8cbe98427ba1539362b3f3ee9add49788cf6c99aa4b0251911258173fefaee83399dc5af5623b0587356e23ed23

Download Submit
\ProgramData\NWHPQU\OAD.exe
Filesize
2.4MB

MD5
831663dde03a14a183c9670a92ac1fc1

SHA1
b63901a572c7ab77d69bf0ced7b7b8e98b90a3fe

SHA256
d3057290e218a6df2c4cfd00b8cd24912423d5a74d419d77504fdb2b49aed77b

SHA512
70b036f9f22835a45d61dcb24efafee580485eb9e8c75215cf8eb99d4100e3cacfdd9782027358abdc0d711adec939f7e139f3bc6981a905457663cf94a22f13

Download Submit
memory/1012-56-0x0000000000000000-mapping.dmp

Download
memory/1012-63-0x0000000000750000-0x0000000000769000-memory.dmp

Filesize
100KB

Download
memory/1012-64-0x0000000000750000-0x0000000000769000-memory.dmp

Filesize
100KB

Download
memory/2028-54-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/2028-57-0x0000000000F80000-0x000000000118B000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing