ardamax | 2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4

Analysis

max time kernel
43s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
Size

1.3MB
MD5

728615d0088d95f853e5791397a3cf27
SHA1

76fe4b7eb64ca706568a3e633b2850441c7a703b
SHA256

2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4
SHA512

5a30d437aed9f7555d228867f2dfd6a0aeec908233647764127a3c2c2084a47d744c13869e8cc0457dcd913d9bcdd07fabd72e921b898650022c4742ef1508c1
SSDEEP

24576:ddZveEPuEQut83dEE1+9ms5eHiCaDrR2MUEILTwONVX+SPKyUay1N2gw60:ddZ1u12OdEg+9ms56JanR2MUEI3wpSPr

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000013170-56.dat	family_ardamax
behavioral1/files/0x0007000000013170-57.dat	family_ardamax
behavioral1/files/0x0007000000013170-59.dat	family_ardamax
behavioral1/files/0x0007000000013170-68.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1956	FFCE.exe
912	HyCam2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HyCam2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	HyCam2.exe

Loads dropped DLL 10 IoCs

pid	Process
584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
1956	FFCE.exe
584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
1956	FFCE.exe
912	HyCam2.exe
912	HyCam2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	FFCE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FFCE Agent = "C:\\Windows\\SysWOW64\\28463\\FFCE.exe"	FFCE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\FFCE.003	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
File created	C:\Windows\SysWOW64\28463\FFCE.007	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
File created	C:\Windows\SysWOW64\28463\FFCE.chm	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
File created	C:\Windows\SysWOW64\28463\FFCE.exe	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
File created	C:\Windows\SysWOW64\28463\FFCE.004	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
File opened for modification	C:\Windows\SysWOW64\28463	FFCE.exe
File created	C:\Windows\SysWOW64\28463\FFCE.001	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
File created	C:\Windows\SysWOW64\28463\FFCE.006	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3283A575-60FE-A29D-0E3F-624A52CE4B60}\ = "NetBt Helper Class"	HyCam2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3283A575-60FE-A29D-0E3F-624A52CE4B60}\InProcServer32	HyCam2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3283A575-60FE-A29D-0E3F-624A52CE4B60}\InProcServer32\ = "%SystemRoot%\\SysWow64\\netcorehc.dll"	HyCam2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3283A575-60FE-A29D-0E3F-624A52CE4B60}\InProcServer32\ThreadingModel = "Free"	HyCam2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3283A575-60FE-A29D-0E3F-624A52CE4B60}	HyCam2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1956	FFCE.exe
Token: SeIncBasePriorityPrivilege	1956	FFCE.exe
Token: 33	912	HyCam2.exe
Token: SeIncBasePriorityPrivilege	912	HyCam2.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1956	FFCE.exe
1956	FFCE.exe
1956	FFCE.exe
1956	FFCE.exe
1956	FFCE.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 1956	584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe	28
PID 584 wrote to memory of 1956	584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe	28
PID 584 wrote to memory of 1956	584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe	28
PID 584 wrote to memory of 1956	584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe	28
PID 584 wrote to memory of 912	584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe	29
PID 584 wrote to memory of 912	584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe	29
PID 584 wrote to memory of 912	584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe	29
PID 584 wrote to memory of 912	584	2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe	29

C:\Users\Admin\AppData\Local\Temp\2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe
"C:\Users\Admin\AppData\Local\Temp\2693d4a2fb67ee31988a8b72f0d566971bc88c6eee81aade3f3fbdbeb96ca4c4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\SysWOW64\28463\FFCE.exe
  "C:\Windows\system32\28463\FFCE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\HyCam2.exe
  "C:\Users\Admin\AppData\Local\Temp\HyCam2.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HyCam2.exe

Filesize
836KB

MD5
b68f6bf4bdb343cfdcdab1b980513ba3

SHA1
d20a38f69d65cfe11459509db85c1310a2a76c39

SHA256
8752cc51c79d260782503d2573675156696dfab94eab2a505dbdd123c8c2851e

SHA512
a9335ec2bb80d234086ef41254e9b9d1230b5df2cb977487fd59779e2773d4b4b9fcbe131c7b9477bd3297ab167d8507d4cb2461c24cda19018259fcc1fe5ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyCam2.exe

Filesize
836KB

MD5
b68f6bf4bdb343cfdcdab1b980513ba3

SHA1
d20a38f69d65cfe11459509db85c1310a2a76c39

SHA256
8752cc51c79d260782503d2573675156696dfab94eab2a505dbdd123c8c2851e

SHA512
a9335ec2bb80d234086ef41254e9b9d1230b5df2cb977487fd59779e2773d4b4b9fcbe131c7b9477bd3297ab167d8507d4cb2461c24cda19018259fcc1fe5ccc

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
394KB

MD5
b87e2e56dbf34fb12705317f4d361c12

SHA1
3b4a6c2fddaab9f71747437c60dc7ad85661b4fa

SHA256
1ed5873542484a3f4c898de6684fc04bc0929e4fc795cd09b4b86f17e817d85a

SHA512
9d1bf05a200efda561f3141d3a4c70a347ba2a64fbfb5fb9b432956660b4aabc492f93fa50ba1928a3c408ec048c357a50cb79d12ba6200b28b1aeb98dbc39a0

Download Submit
C:\Windows\SysWOW64\28463\FFCE.001

Filesize
416B

MD5
3880445688b1c620fd244f68010ccca3

SHA1
a8d23f1bc8812361185ae6d91e57a4464f5eadbb

SHA256
2db8d4a1eefc03b3aa4d5a20ce5b746202e140fcedd7a909953e8abd2a10ffeb

SHA512
c27fe7f322f579ec3fc80533671a1feb8757a5e3d6b9f24efb293fcb9c7a8138a32da6797d3df92ae4036ac8b12083f26db243a39d4c17128595aac7d58d234a

Download Submit
C:\Windows\SysWOW64\28463\FFCE.003

Filesize
4KB

MD5
27092ec75c1839f36bfe900a38acc484

SHA1
fe14b750a0ed653246c5f358891f8c1241913bb2

SHA256
e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

SHA512
815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

Download Submit
C:\Windows\SysWOW64\28463\FFCE.004

Filesize
14KB

MD5
a0ce5cac85b0d667ce2a7c6fa23bfb3f

SHA1
9b40f537f10e77a37d33ab580d1dda16a87c1715

SHA256
9e9bf0727756fc07aa01fa08e204fb293fd2e16afd57b7b4ae6e7c258ff9af21

SHA512
daee767df015e0dd9c0e56708fae6c0e339f6b8654d62c1e75aaa0c1d86a40ad028055b7f70385e7cb8d1ad65272a7c8ed8d62435ddcf3c75234c35a79898046

Download Submit
C:\Windows\SysWOW64\28463\FFCE.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
C:\Windows\SysWOW64\28463\FFCE.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
C:\Windows\SysWOW64\28463\FFCE.chm

Filesize
33KB

MD5
42846078b67efd94ac02b3508cc02e9a

SHA1
7f9c5b8d5e6a2f15c918fe4fed1bb09336e752f6

SHA256
d893781c03ada45dc15c20b5809d9b2a920abaae1e7366698db5c9c93b524096

SHA512
836a142630f61221b61e2d58ef78bf7984c9033f1a96941a368630464de78a4287cde41088f6f8c43abfb03baf8c320e2e3deb18248d95b9c347b9d82480b144

Download Submit
C:\Windows\SysWOW64\28463\FFCE.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
C:\Windows\SysWOW64\28463\FFCE.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
\Users\Admin\AppData\Local\Temp\@E9A4.tmp

Filesize
4KB

MD5
27092ec75c1839f36bfe900a38acc484

SHA1
fe14b750a0ed653246c5f358891f8c1241913bb2

SHA256
e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

SHA512
815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

Download Submit
\Users\Admin\AppData\Local\Temp\HyCam2.exe

Filesize
836KB

MD5
b68f6bf4bdb343cfdcdab1b980513ba3

SHA1
d20a38f69d65cfe11459509db85c1310a2a76c39

SHA256
8752cc51c79d260782503d2573675156696dfab94eab2a505dbdd123c8c2851e

SHA512
a9335ec2bb80d234086ef41254e9b9d1230b5df2cb977487fd59779e2773d4b4b9fcbe131c7b9477bd3297ab167d8507d4cb2461c24cda19018259fcc1fe5ccc

Download Submit
\Users\Admin\AppData\Local\Temp\HyCam2.exe

Filesize
836KB

MD5
b68f6bf4bdb343cfdcdab1b980513ba3

SHA1
d20a38f69d65cfe11459509db85c1310a2a76c39

SHA256
8752cc51c79d260782503d2573675156696dfab94eab2a505dbdd123c8c2851e

SHA512
a9335ec2bb80d234086ef41254e9b9d1230b5df2cb977487fd59779e2773d4b4b9fcbe131c7b9477bd3297ab167d8507d4cb2461c24cda19018259fcc1fe5ccc

Download Submit
\Windows\SysWOW64\28463\FFCE.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
\Windows\SysWOW64\28463\FFCE.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
\Windows\SysWOW64\28463\FFCE.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
\Windows\SysWOW64\28463\FFCE.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
\Windows\SysWOW64\28463\FFCE.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
\Windows\SysWOW64\28463\FFCE.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
\Windows\SysWOW64\28463\FFCE.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
memory/584-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/584-76-0x00000000024F0000-0x00000000024F6000-memory.dmp

Filesize
24KB

Download
memory/912-78-0x0000000000220000-0x0000000000284000-memory.dmp

Filesize
400KB

Download
memory/912-85-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/912-84-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/912-87-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/912-88-0x0000000000221000-0x0000000000256000-memory.dmp

Filesize
212KB

Download
memory/912-72-0x0000000000000000-mapping.dmp

Download
memory/912-93-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/912-92-0x0000000000221000-0x0000000000256000-memory.dmp

Filesize
212KB

Download
memory/1956-58-0x0000000000000000-mapping.dmp

Download