ardamax | 9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d

General

Target

9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d.exe
Size

2.0MB
MD5

ce21a52a59cde1ba6428c990e0c28194
SHA1

f1eace18614c903edce4da9aa6638deb3ed099aa
SHA256

9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d
SHA512

4a79ab125593e36f925f2e39d2debd6dcabf57470d4762f931a61728525ca62790be32c32661d1d6132b18556913ba9ad1257ff8f6540a05f9b0707d81324148
SSDEEP

49152:MjGbS6GlCxcEMkFVAwe/jBFA+RHGaQ/42Rv3Uege:+RUxPAxdrGaZAU

Score

10^/10

ardamax keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Executes dropped EXE 1 IoCs

pid	Process
1880	UUL.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d.exe
1880	UUL.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	UUL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UUL Start = "C:\\ProgramData\\TJOWDU\\UUL.exe"	UUL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1880	UUL.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1880	UUL.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1880	UUL.exe
1880	UUL.exe
1880	UUL.exe
1880	UUL.exe
1880	UUL.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1880	1172	9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d.exe	28
PID 1172 wrote to memory of 1880	1172	9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d.exe	28
PID 1172 wrote to memory of 1880	1172	9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d.exe	28
PID 1172 wrote to memory of 1880	1172	9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d.exe	28

C:\Users\Admin\AppData\Local\Temp\9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d.exe
"C:\Users\Admin\AppData\Local\Temp\9eabedb8fe58d7bb8339f5072ba094fad24aaea29288fc1afabbfa5e3a23931d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172
- C:\ProgramData\TJOWDU\UUL.exe
  "C:\ProgramData\TJOWDU\UUL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TJOWDU\UUL.00

Filesize
2KB

MD5
a26240a6ad8bbb49037091a148d4614d

SHA1
f196f78545323b64e894a08276c43c9b536b68bf

SHA256
fe93007b059f9cd9ed5cc4d4301104bfad7e24da9d0dca7dcec4266147208eea

SHA512
4c3ad3013f5242676fba8b1dfc2c7581c4f6e82564301edd62a38e0bd3d810644e3b3c91803b92eabfb67d1041aa988813a702e9e7be4c48c0e4880bb8cbc0b8

Download Submit
C:\ProgramData\TJOWDU\UUL.01

Filesize
81KB

MD5
462afb96a7f72c384bcf2298f6c4cca0

SHA1
e2d78929d5c6a0257c8bbdefc2fb24f2fac70abc

SHA256
76daefb52ce80815aca84c963c31928ad95c54da17184413efc3e4852e4e5c77

SHA512
2bd52b7a28acbe9c1224bccc16985e8a9c4f600c3188e2d5c55ad30bfd42c2ea55a7be583eec5e5d020e5340b8f7f2906927b73e29320a8198ed5f23f85ad386

Download Submit
C:\ProgramData\TJOWDU\UUL.exe

Filesize
2.4MB

MD5
4e01d49a3b6a486a413e3428ab22a683

SHA1
ed60767c071761d884ba868877842ec921c759ae

SHA256
d2837979687f0f25ccc091ff4dcc0fd5681313d8d48dd49da22b57aa7adbb6a8

SHA512
c5d99014054a3d5f6326c8e85b0b7717648fe256a6c0c6c9161bad5b86fe546a5006be53fad3bae0a66579d4959e8d3f70d2520663e12602bf9ea78921538884

Download Submit
\ProgramData\TJOWDU\UUL.01

Filesize
81KB

MD5
462afb96a7f72c384bcf2298f6c4cca0

SHA1
e2d78929d5c6a0257c8bbdefc2fb24f2fac70abc

SHA256
76daefb52ce80815aca84c963c31928ad95c54da17184413efc3e4852e4e5c77

SHA512
2bd52b7a28acbe9c1224bccc16985e8a9c4f600c3188e2d5c55ad30bfd42c2ea55a7be583eec5e5d020e5340b8f7f2906927b73e29320a8198ed5f23f85ad386

Download Submit
\ProgramData\TJOWDU\UUL.exe

Filesize
2.4MB

MD5
4e01d49a3b6a486a413e3428ab22a683

SHA1
ed60767c071761d884ba868877842ec921c759ae

SHA256
d2837979687f0f25ccc091ff4dcc0fd5681313d8d48dd49da22b57aa7adbb6a8

SHA512
c5d99014054a3d5f6326c8e85b0b7717648fe256a6c0c6c9161bad5b86fe546a5006be53fad3bae0a66579d4959e8d3f70d2520663e12602bf9ea78921538884

Download Submit
memory/1172-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1172-55-0x0000000000D80000-0x0000000000F8B000-memory.dmp

Filesize
2.0MB

Download
memory/1172-60-0x0000000000D80000-0x0000000000F8B000-memory.dmp

Filesize
2.0MB

Download
memory/1880-57-0x0000000000000000-mapping.dmp

Download
memory/1880-64-0x0000000000710000-0x0000000000729000-memory.dmp

Filesize
100KB

Download
memory/1880-65-0x0000000000710000-0x0000000000729000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing