ardamax | 0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74

Analysis

max time kernel
159s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe
Size

4.3MB
MD5

b8092937a760b9f980ce16dd9ee3c30b
SHA1

38a791ed9f686be2f52af150068d559a0e20438c
SHA256

0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74
SHA512

5b108c82680f90bdb13302637121ead3dc695aa12cfe4601ebfe1fd22d1a7cfe5a8b115fbcc66c808b98533639153e2a344eb27f2c5b3cc539fab9d9c48fd07c
SSDEEP

98304:e2jdjPIfemO03apjas05xwgcTygnKyj/RFCpHkP:emytrsQbcu9yjpspE

Score

10^/10

ardamax keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Executes dropped EXE 2 IoCs

Processes:

KAJ.exeHack Boom V2.0.exe

pid process

3048 KAJ.exe
3320 Hack Boom V2.0.exe

pid	process
3048	KAJ.exe
3320	Hack Boom V2.0.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe	upx
C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe	upx
behavioral2/memory/3320-142-0x0000000000400000-0x0000000000970000-memory.dmp	upx
behavioral2/memory/3320-153-0x0000000000400000-0x0000000000970000-memory.dmp	upx
behavioral2/memory/3320-154-0x0000000000400000-0x0000000000970000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe

Loads dropped DLL 4 IoCs

Processes:

KAJ.exeHack Boom V2.0.exe

pid process

3048 KAJ.exe
3048 KAJ.exe
3320 Hack Boom V2.0.exe
3320 Hack Boom V2.0.exe

pid	process
3048	KAJ.exe
3048	KAJ.exe
3320	Hack Boom V2.0.exe
3320	Hack Boom V2.0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

KAJ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	KAJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KAJ Start = "C:\\ProgramData\\YPNYTD\\KAJ.exe"	KAJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

KAJ.exe

pid process

3048 KAJ.exe
3048 KAJ.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

KAJ.exe

pid process

3048 KAJ.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

KAJ.exe

pid process

3048 KAJ.exe
3048 KAJ.exe
3048 KAJ.exe
3048 KAJ.exe
3048 KAJ.exe

pid	process
3048	KAJ.exe
3048	KAJ.exe

pid	process
3048	KAJ.exe

pid	process
3048	KAJ.exe
3048	KAJ.exe
3048	KAJ.exe
3048	KAJ.exe
3048	KAJ.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe

description	pid	process	target process
PID 1668 wrote to memory of 3048	1668	0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe	KAJ.exe
PID 1668 wrote to memory of 3048	1668	0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe	KAJ.exe
PID 1668 wrote to memory of 3048	1668	0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe	KAJ.exe
PID 1668 wrote to memory of 3320	1668	0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe	Hack Boom V2.0.exe
PID 1668 wrote to memory of 3320	1668	0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe	Hack Boom V2.0.exe
PID 1668 wrote to memory of 3320	1668	0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe	Hack Boom V2.0.exe

C:\Users\Admin\AppData\Local\Temp\0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe
"C:\Users\Admin\AppData\Local\Temp\0512890f624cc07b378c623aa4034c80f675c36c734658f838ed409f15129e74.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1668

C:\ProgramData\YPNYTD\KAJ.exe
"C:\ProgramData\YPNYTD\KAJ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe
"C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\YPNYTD\KAJ.00
Filesize
2KB

MD5
fc09febf80d872e78f0e9f79a750c7a9

SHA1
5911097c41bd4d5ce571c3ea4b3bb420df9019e6

SHA256
e3f249544a68f9b986f6699c004f8b83f0074e1459afc23b1729a6c541a395da

SHA512
3744aaf763e07ce9ecb599137bf0a12641d8b6e606494a8a5fcd29b81f0389fb7bdc29eecd330a5717ab68c690c8070fa4226ec011c02206c01dd84402f95405

Download Submit
C:\ProgramData\YPNYTD\KAJ.01
Filesize
80KB

MD5
937a093149c51e37a784741bf2ee79d5

SHA1
81d553d04fd0069a5d7b6e1ee924830bda1cbf6f

SHA256
65e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e

SHA512
2df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e

Download Submit
C:\ProgramData\YPNYTD\KAJ.01
Filesize
80KB

MD5
937a093149c51e37a784741bf2ee79d5

SHA1
81d553d04fd0069a5d7b6e1ee924830bda1cbf6f

SHA256
65e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e

SHA512
2df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e

Download Submit
C:\ProgramData\YPNYTD\KAJ.01
Filesize
80KB

MD5
937a093149c51e37a784741bf2ee79d5

SHA1
81d553d04fd0069a5d7b6e1ee924830bda1cbf6f

SHA256
65e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e

SHA512
2df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e

Download Submit
C:\ProgramData\YPNYTD\KAJ.01
Filesize
80KB

MD5
937a093149c51e37a784741bf2ee79d5

SHA1
81d553d04fd0069a5d7b6e1ee924830bda1cbf6f

SHA256
65e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e

SHA512
2df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e

Download Submit
C:\ProgramData\YPNYTD\KAJ.01
Filesize
80KB

MD5
937a093149c51e37a784741bf2ee79d5

SHA1
81d553d04fd0069a5d7b6e1ee924830bda1cbf6f

SHA256
65e993058050d1c65a9f6f4143e7b6eb9e8b6cfbad5092b358561810dc1a151e

SHA512
2df0ddcf606906ea1f2caf48fd1a045e58c69b8cd3627096a1ecca86911b6aa97ed04f4ccc8a10d53dd497a5ff01a6a2db4791f21b56c0ba6db6e9477df0f51e

Download Submit
C:\ProgramData\YPNYTD\KAJ.exe
Filesize
2.4MB

MD5
8369917bdbb08ed9084c0ee018084963

SHA1
4052f231e820dc7018326f0ad8022d549d0e73d5

SHA256
5f4928a65de5e4c9cd706074113a33a5f4a64d1888d8174acd228b2c349a46a5

SHA512
55b0307dae954c397ee3c11721715195a200205dc7e9593b13044502ba5618198b37327d57847e33cea17cf1d61cf8f961031fa13914f3fcc57c4b0ab887ea78

Download Submit
C:\ProgramData\YPNYTD\KAJ.exe
Filesize
2.4MB

MD5
8369917bdbb08ed9084c0ee018084963

SHA1
4052f231e820dc7018326f0ad8022d549d0e73d5

SHA256
5f4928a65de5e4c9cd706074113a33a5f4a64d1888d8174acd228b2c349a46a5

SHA512
55b0307dae954c397ee3c11721715195a200205dc7e9593b13044502ba5618198b37327d57847e33cea17cf1d61cf8f961031fa13914f3fcc57c4b0ab887ea78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe
Filesize
2.0MB

MD5
7acb82ab3168ec3b696e3ad360b0d260

SHA1
fa52cbbb7fb5df5b18e43aa5440fd351705c484f

SHA256
1411c9fbad2d5efb025188cfd025b874612b8acf1c4247f25c2dd4c0d8443e0f

SHA512
352fc5d308c5568922171d4e2a880509aff4185753ad14484f5164ae799c44faa9f63ede7366a4a5931cf3f16902ee2a4b06c725c4253ad88af4ec64b13fe419

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hack Boom V2.0.exe
Filesize
2.0MB

MD5
7acb82ab3168ec3b696e3ad360b0d260

SHA1
fa52cbbb7fb5df5b18e43aa5440fd351705c484f

SHA256
1411c9fbad2d5efb025188cfd025b874612b8acf1c4247f25c2dd4c0d8443e0f

SHA512
352fc5d308c5568922171d4e2a880509aff4185753ad14484f5164ae799c44faa9f63ede7366a4a5931cf3f16902ee2a4b06c725c4253ad88af4ec64b13fe419

Download Submit
memory/1668-132-0x00000000002A0000-0x00000000006FD000-memory.dmp

Filesize
4.4MB

Download
memory/1668-140-0x00000000002A0000-0x00000000006FD000-memory.dmp

Filesize
4.4MB

Download
memory/3048-151-0x0000000000DA0000-0x0000000000DB9000-memory.dmp

Filesize
100KB

Download
memory/3048-133-0x0000000000000000-mapping.dmp

Download
memory/3048-146-0x0000000000DA1000-0x0000000000DB0000-memory.dmp

Filesize
60KB

Download
memory/3048-145-0x0000000000DA0000-0x0000000000DB9000-memory.dmp

Filesize
100KB

Download
memory/3320-149-0x00000000010E0000-0x00000000010F9000-memory.dmp

Filesize
100KB

Download
memory/3320-142-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/3320-150-0x00000000010E1000-0x00000000010F0000-memory.dmp

Filesize
60KB

Download
memory/3320-136-0x0000000000000000-mapping.dmp

Download
memory/3320-152-0x00000000010E0000-0x00000000010F9000-memory.dmp

Filesize
100KB

Download
memory/3320-153-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/3320-154-0x0000000000400000-0x0000000000970000-memory.dmp

Filesize
5.4MB

Download
memory/3320-155-0x00000000010E0000-0x00000000010F9000-memory.dmp

Filesize
100KB

Download