ardamax | b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5

Analysis

max time kernel
140s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe
Size

1.2MB
MD5

2a8fc1f08f06196870a262ab0befa2a6
SHA1

008b368b454ef698375f79f87a56b8d15ed88205
SHA256

b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5
SHA512

5994a74e4ce92b3be0da435f35d3af26d3d25715cce614275bf76776f1e63f3ded2025a35601358f86a8a537d4f526747321bf355c8e3581fb6f152f1354cd37
SSDEEP

24576:zRj34F1iygg9FIcvVKzOwEuNJUzhioTROo0dRQ74Nd/E+pku:z+F159FDyOSJihvROo0Pdtku

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e49-136.dat	family_ardamax
behavioral2/files/0x0006000000022e49-135.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
4976	NAPK.exe
1324	WYD.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe

Loads dropped DLL 4 IoCs

pid	Process
5000	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe
4976	NAPK.exe
4976	NAPK.exe
4976	NAPK.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	NAPK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAPK Agent = "C:\\Windows\\SysWOW64\\Sys\\NAPK.exe"	NAPK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\AKV.exe	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe
File opened for modification	C:\Windows\SysWOW64\Sys	NAPK.exe
File created	C:\Windows\SysWOW64\Sys\NAPK.001	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe
File created	C:\Windows\SysWOW64\Sys\NAPK.006	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe
File created	C:\Windows\SysWOW64\Sys\NAPK.007	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe
File created	C:\Windows\SysWOW64\Sys\NAPK.exe	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4976	NAPK.exe
Token: SeIncBasePriorityPrivilege	4976	NAPK.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4976	NAPK.exe
4976	NAPK.exe
4976	NAPK.exe
4976	NAPK.exe
4976	NAPK.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4976	5000	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe	82
PID 5000 wrote to memory of 4976	5000	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe	82
PID 5000 wrote to memory of 4976	5000	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe	82
PID 5000 wrote to memory of 1324	5000	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe	83
PID 5000 wrote to memory of 1324	5000	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe	83
PID 5000 wrote to memory of 1324	5000	b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe	83

C:\Users\Admin\AppData\Local\Temp\b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe
"C:\Users\Admin\AppData\Local\Temp\b762dbd97cd0af7654b1655c99218e9baf4d6d9eab3347f2a94454454f201ae5.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SysWOW64\Sys\NAPK.exe
  "C:\Windows\system32\Sys\NAPK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\WYD.exe
  "C:\Users\Admin\AppData\Local\Temp\WYD.exe"
  2⤵
  - Executes dropped EXE
  PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@BA0E.tmp

Filesize
4KB

MD5
729fe329c303837d61fc42b2120afc00

SHA1
a0bdee5733e4820a7abb630014bba43200d27324

SHA256
ad2d3f261425139733e8f8a28b5b1cd1000d570eec994093efd0dc17fed35fac

SHA512
c61292b1ae57abc3926a0d912ee14ceb7031e5d1f5bde14b62c1cb65894e964e004365d6c8140511aa92bb39b1a09264c2501bb99299007b7bfa9aa58a28f67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYD.exe

Filesize
1.8MB

MD5
73e5dec5fc48b58e5833e00e2c167359

SHA1
c33af6f02dc1f5b9c5f25fb617dd988bef1ffcc8

SHA256
61331309c686609c00af2641acdebaef1f7013b03ab4c035471656dba3c16d26

SHA512
f17b70131f0f1d26cb611b35b8d1dfb62222a4b4036fc8d55dff8eccb8b0c49e6b033488f75bd799534263713eb370198aaa26e0ed3acd90e0e8857e1fee59a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYD.exe

Filesize
1.8MB

MD5
73e5dec5fc48b58e5833e00e2c167359

SHA1
c33af6f02dc1f5b9c5f25fb617dd988bef1ffcc8

SHA256
61331309c686609c00af2641acdebaef1f7013b03ab4c035471656dba3c16d26

SHA512
f17b70131f0f1d26cb611b35b8d1dfb62222a4b4036fc8d55dff8eccb8b0c49e6b033488f75bd799534263713eb370198aaa26e0ed3acd90e0e8857e1fee59a2

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
389KB

MD5
fcd92ab43a3ac19ca060a0b4d62ef5f1

SHA1
099cc5f1ec71cc73c23471dcc98543a54e008e2a

SHA256
3dfb79f950f069047d89110fc28fefd9d4856e7112f40bda2ccc0daa0d94b53a

SHA512
d1a317db049cfa16b2b5259d85b22d3fd3563e210a13bdf6d8eee12a665899f77c3b226b252a80ae1b68538dfb8ecf8561f06f428b5dd4ef96c5c8b37aa0bf21

Download Submit
C:\Windows\SysWOW64\Sys\NAPK.001

Filesize
566B

MD5
2384570452b99350179057b314c09660

SHA1
b9014f3bfc4fd64c45a4f95eb4a9b1733fb506d3

SHA256
a460f13ae3b51a58f4b946e7786f549974813012182908c472ce6e3f49fef3c7

SHA512
a7f020379ef160f0b31b88e7e286be107724e5e9724f95c756632a5e2d9a09d20bc2cdc8250e6dce36a7525cca6d40955bc2aad88a589a1afde2b891e1c70e3d

Download Submit
C:\Windows\SysWOW64\Sys\NAPK.006

Filesize
7KB

MD5
ab65e5da8d42c6b4e855e82c9696b3ad

SHA1
fb4cb29ee8b5277eaa432b18582c58d8f383b0df

SHA256
5a139a73799eb0c43dc65f4ad5004596751a01f3be7bab1e69a1ee0daaa607a4

SHA512
7d37b9efb2bae212015eb5e55ad11d579b66dfd0d2aa9614b0e225d4b0dedd705bfaabcb9eb887ec2274c812e8a4af587aef4c62ee3d8a73dbf54f15c8aba16a

Download Submit
C:\Windows\SysWOW64\Sys\NAPK.006

Filesize
7KB

MD5
ab65e5da8d42c6b4e855e82c9696b3ad

SHA1
fb4cb29ee8b5277eaa432b18582c58d8f383b0df

SHA256
5a139a73799eb0c43dc65f4ad5004596751a01f3be7bab1e69a1ee0daaa607a4

SHA512
7d37b9efb2bae212015eb5e55ad11d579b66dfd0d2aa9614b0e225d4b0dedd705bfaabcb9eb887ec2274c812e8a4af587aef4c62ee3d8a73dbf54f15c8aba16a

Download Submit
C:\Windows\SysWOW64\Sys\NAPK.007

Filesize
5KB

MD5
cb619d0de6d26ae77e2ca1766d995272

SHA1
454725f63828e04b10f8e99c5374e86c407665ca

SHA256
ad657781b4e5c666461811fbd4b08ea689dc6953ea5e79f47ca72bdc99789121

SHA512
8bbd39817f3f3ae13dca07c233f1889a08a86e3ba353a455cad3e9a9fee81eda9d91cf20122dfc79725d69f97f5f8b163c97d2b8c38bb53aa4b9f6e32f7f6a59

Download Submit
C:\Windows\SysWOW64\Sys\NAPK.007

Filesize
5KB

MD5
cb619d0de6d26ae77e2ca1766d995272

SHA1
454725f63828e04b10f8e99c5374e86c407665ca

SHA256
ad657781b4e5c666461811fbd4b08ea689dc6953ea5e79f47ca72bdc99789121

SHA512
8bbd39817f3f3ae13dca07c233f1889a08a86e3ba353a455cad3e9a9fee81eda9d91cf20122dfc79725d69f97f5f8b163c97d2b8c38bb53aa4b9f6e32f7f6a59

Download Submit
C:\Windows\SysWOW64\Sys\NAPK.007

Filesize
5KB

MD5
cb619d0de6d26ae77e2ca1766d995272

SHA1
454725f63828e04b10f8e99c5374e86c407665ca

SHA256
ad657781b4e5c666461811fbd4b08ea689dc6953ea5e79f47ca72bdc99789121

SHA512
8bbd39817f3f3ae13dca07c233f1889a08a86e3ba353a455cad3e9a9fee81eda9d91cf20122dfc79725d69f97f5f8b163c97d2b8c38bb53aa4b9f6e32f7f6a59

Download Submit
C:\Windows\SysWOW64\Sys\NAPK.exe

Filesize
476KB

MD5
b306ff9927251c40c34fe6bfef07756b

SHA1
8d6975fc095b7a96393d61a63fb610d71931666a

SHA256
65083234a079905c3b945cb178388dc287c2521ef59817885f1cc2e522a68db7

SHA512
08e633e2d43f13cb748f67378a777cc124f693815f63ed5a3a64ad2ebe11001145a01f83d9d3bddc0f9f590677ee6bcfeabeb5a259b10b426344961e333b3996

Download Submit
C:\Windows\SysWOW64\Sys\NAPK.exe

Filesize
476KB

MD5
b306ff9927251c40c34fe6bfef07756b

SHA1
8d6975fc095b7a96393d61a63fb610d71931666a

SHA256
65083234a079905c3b945cb178388dc287c2521ef59817885f1cc2e522a68db7

SHA512
08e633e2d43f13cb748f67378a777cc124f693815f63ed5a3a64ad2ebe11001145a01f83d9d3bddc0f9f590677ee6bcfeabeb5a259b10b426344961e333b3996

Download Submit