ardamax | 984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2

General

Target

984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe
Size

2.0MB
MD5

6a75ea0dbf49a4dadf2382e1a9762551
SHA1

9ea6dc46a0a53fffd2ef04238ba9d89335f9e83d
SHA256

984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2
SHA512

45c240ef654a9df0c1b7d286adb9d2a4f1aa84422c87db30a700fb10d45708cfea39f2117d66c56b577019e308cc3a2b5fbb05ddc1c1bbd8c538e967898a2687
SSDEEP

49152:OFjJQz8SII9SgBq5FHgRtrGu+7weKTUFFosE4:QjJQbugBq7Azrg8HUFFe

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Executes dropped EXE 1 IoCs

Processes:

NCU.exe

pid process

1164 NCU.exe
Loads dropped DLL 2 IoCs

Processes:

984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exeNCU.exe

pid process

1324 984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe
1164 NCU.exe

pid	process
1164	NCU.exe

pid	process
1324	984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe
1164	NCU.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NCU.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NCU Start = "C:\\ProgramData\\PAJGTP\\NCU.exe"	NCU.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	NCU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

NCU.exe

pid process

1164 NCU.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NCU.exe

pid process

1164 NCU.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

NCU.exe

pid process

1164 NCU.exe
1164 NCU.exe
1164 NCU.exe
1164 NCU.exe

pid	process
1164	NCU.exe

pid	process
1164	NCU.exe

pid	process
1164	NCU.exe
1164	NCU.exe
1164	NCU.exe
1164	NCU.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe

description	pid	process	target process
PID 1324 wrote to memory of 1164	1324	984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe	NCU.exe
PID 1324 wrote to memory of 1164	1324	984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe	NCU.exe
PID 1324 wrote to memory of 1164	1324	984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe	NCU.exe
PID 1324 wrote to memory of 1164	1324	984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe	NCU.exe

C:\Users\Admin\AppData\Local\Temp\984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe
"C:\Users\Admin\AppData\Local\Temp\984747e714f009c5195c0d3616fe3b6714ab699bb9f71088f3d47b613c0a8bb2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\ProgramData\PAJGTP\NCU.exe
"C:\ProgramData\PAJGTP\NCU.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1164

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PAJGTP\NCU.00
Filesize
2KB

MD5
3b37194e903e3fe224ce5a5dc0f72af9

SHA1
0129cc88149659e2668df0ccdc28f1e43b99fadd

SHA256
0f9ff4e5d261efb5fee2763efb421a7ec127efb534d2b1014074b5abe67dcf3b

SHA512
22c1344917d8e634662a33fbfdc3b46907ab00991d72abfa2ecae577d883ad72445448caecf2c5e1daf64f78981b9e47359d521c3d7ab087891b075ec1a0ea8e

Download Submit
C:\ProgramData\PAJGTP\NCU.01
Filesize
79KB

MD5
01e52cc38f3fe324a9e26ddb36dc89e5

SHA1
9fc3b353b776000a8b2716a39c43da886da58ab0

SHA256
aa9c651f1e5cc3f89b9279361702487765895df0620775d3243c66b2ce3692ad

SHA512
967f38d399c52792df6c36555402fcb95527b7f502476aedee9179c22fcc5a542dbc316ece4e278bacfa4d8ba6651b83467474b1f4491b83d2148951dea204b8

Download Submit
C:\ProgramData\PAJGTP\NCU.exe
Filesize
2.3MB

MD5
9dd994d5ee6dd09ab083d20d6c887db9

SHA1
d1d3df6b05ae948264adebf42e5d970f767f5761

SHA256
f196900c719e5b7a03705f53c2c996a8e768c690e7b4959e2e4fdf41b973c20d

SHA512
9284058162043d36f09b3e887a1ad36c4b364fb252575173c9ccf242179501f1f3c5919ad3e03d14097c96aa4d56566039f154ea3d933e37ff559c64975658f6

Download Submit
\ProgramData\PAJGTP\NCU.01
Filesize
79KB

MD5
01e52cc38f3fe324a9e26ddb36dc89e5

SHA1
9fc3b353b776000a8b2716a39c43da886da58ab0

SHA256
aa9c651f1e5cc3f89b9279361702487765895df0620775d3243c66b2ce3692ad

SHA512
967f38d399c52792df6c36555402fcb95527b7f502476aedee9179c22fcc5a542dbc316ece4e278bacfa4d8ba6651b83467474b1f4491b83d2148951dea204b8

Download Submit
\ProgramData\PAJGTP\NCU.exe
Filesize
2.3MB

MD5
9dd994d5ee6dd09ab083d20d6c887db9

SHA1
d1d3df6b05ae948264adebf42e5d970f767f5761

SHA256
f196900c719e5b7a03705f53c2c996a8e768c690e7b4959e2e4fdf41b973c20d

SHA512
9284058162043d36f09b3e887a1ad36c4b364fb252575173c9ccf242179501f1f3c5919ad3e03d14097c96aa4d56566039f154ea3d933e37ff559c64975658f6

Download Submit
memory/1164-56-0x0000000000000000-mapping.dmp

Download
memory/1164-63-0x0000000002480000-0x0000000002499000-memory.dmp

Filesize
100KB

Download
memory/1164-64-0x0000000002480000-0x0000000002499000-memory.dmp

Filesize
100KB

Download
memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1324-59-0x00000000011A0000-0x000000000139A000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing