ardamax | f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd

Analysis

max time kernel
126s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
Size

1.8MB
MD5

4fb9b3ff7a9604c7f61c1b5faf72800a
SHA1

97a8db4cb19e12c1241e5885fe04187b3016f78b
SHA256

f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd
SHA512

b0b7dd2c96b8ac72ab13b72c89db4e542066845ffcc2b014dbae3291b7ebf220b352654eb7ff94ce65679c1a8b9f3a8dd143654fc55c74b97661ee2225a702cc
SSDEEP

49152:DXTlURGSfoh7no7PZOdzlzJKE2hMxS7NEguPEp5Pr1D2uGje:lU/O7APZO1lzJMUwNduMp5PrMj

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000140fd-55.dat	family_ardamax
behavioral1/files/0x00060000000140fd-57.dat	family_ardamax
behavioral1/files/0x00060000000140fd-63.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
1336	XJV.exe
1936	Tornado_4u.exe

Loads dropped DLL 5 IoCs

pid	Process
1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
1336	XJV.exe
1936	Tornado_4u.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	XJV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XJV Start = "C:\\Windows\\SysWOW64\\KXYTFV\\XJV.exe"	XJV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KXYTFV\XJV.004	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
File created	C:\Windows\SysWOW64\KXYTFV\XJV.001	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
File created	C:\Windows\SysWOW64\KXYTFV\XJV.002	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
File created	C:\Windows\SysWOW64\KXYTFV\AKV.exe	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
File created	C:\Windows\SysWOW64\KXYTFV\XJV.exe	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
File opened for modification	C:\Windows\SysWOW64\KXYTFV\	XJV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1336	XJV.exe
Token: SeIncBasePriorityPrivilege	1336	XJV.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1336	XJV.exe
1336	XJV.exe
1336	XJV.exe
1336	XJV.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1336	1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe	26
PID 1504 wrote to memory of 1336	1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe	26
PID 1504 wrote to memory of 1336	1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe	26
PID 1504 wrote to memory of 1336	1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe	26
PID 1504 wrote to memory of 1936	1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe	27
PID 1504 wrote to memory of 1936	1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe	27
PID 1504 wrote to memory of 1936	1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe	27
PID 1504 wrote to memory of 1936	1504	f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe	27

C:\Users\Admin\AppData\Local\Temp\f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe
"C:\Users\Admin\AppData\Local\Temp\f0d86c979f446905d8cfc3bb2c83294d7c5aa444e30624ade3c2edf9a72f04fd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\KXYTFV\XJV.exe
  "C:\Windows\system32\KXYTFV\XJV.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\Tornado_4u.exe
  "C:\Users\Admin\AppData\Local\Temp\Tornado_4u.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tornado_4u.exe

Filesize
788KB

MD5
2069adc512cfa4dbeb5d4ee14a6c6a8b

SHA1
713501f7406d001178e5bfba099a808fa1472f9c

SHA256
0710c8cfe8e1d852ca01064395f647609bc15fbd313c2e3cd93bfcdfeb653f76

SHA512
d459668c5f660860055f673da44bdbc5f77e3abd09da671702cc532d4d0a1a247a0c2b844cb94f60c2fdc04cbda778ed6f4e2f92da5ae56beb927fd774364dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tornado_4u.exe

Filesize
788KB

MD5
2069adc512cfa4dbeb5d4ee14a6c6a8b

SHA1
713501f7406d001178e5bfba099a808fa1472f9c

SHA256
0710c8cfe8e1d852ca01064395f647609bc15fbd313c2e3cd93bfcdfeb653f76

SHA512
d459668c5f660860055f673da44bdbc5f77e3abd09da671702cc532d4d0a1a247a0c2b844cb94f60c2fdc04cbda778ed6f4e2f92da5ae56beb927fd774364dcc

Download Submit
C:\Windows\SysWOW64\KXYTFV\AKV.exe

Filesize
456KB

MD5
1f29b1075a91b3da0ccc0b9c49eece56

SHA1
048e675f087181035aedece9e7b11d065c6355cc

SHA256
4f6825548b32329c3360ed9abb7c0a6809a2c2291cf0bcaac511a9fa32a6336e

SHA512
7e152caf055f57f599ecc1e3a404b540b721b3315d2ba16bff6eb21f03edeb3a06ae185621e3139293612d94210f500f098bd281489ca7f336efd8b5284ee060

Download Submit
C:\Windows\SysWOW64\KXYTFV\XJV.001

Filesize
61KB

MD5
31c866d8e4448c28ae63660a0521cd92

SHA1
0e4dcb44e3c8589688b8eacdd8cc463a920baab9

SHA256
dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

SHA512
1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

Download Submit
C:\Windows\SysWOW64\KXYTFV\XJV.002

Filesize
43KB

MD5
093e599a1281e943ce1592f61d9591af

SHA1
6896810fe9b7efe4f5ae68bf280fec637e97adf5

SHA256
1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

SHA512
64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

Download Submit
C:\Windows\SysWOW64\KXYTFV\XJV.004

Filesize
1KB

MD5
e86a5a81dbda2ad3e6906ebb488f16b2

SHA1
646f93af29ffe8dd9c79f33309545112f02e0342

SHA256
fe19c8dce1009a9c31aa6df16ad57afa0d9042b78b0b527e434e5954055c77b3

SHA512
cbd417d407ba2c4129c3c0b15ef546917c38cc7e9506e6c1f71bdbee621401c0140508747b394a3a5ff36c48473cfb3f3c2c082bde41958d7e3d44f2f46b79ab

Download Submit
C:\Windows\SysWOW64\KXYTFV\XJV.exe

Filesize
1.5MB

MD5
0aaffc12ef1b416b9276bdc3fdec9dff

SHA1
9f38d7cf6241d867da58f89db9ff26544314b938

SHA256
42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

SHA512
bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

Download Submit
C:\Windows\SysWOW64\KXYTFV\XJV.exe

Filesize
1.5MB

MD5
0aaffc12ef1b416b9276bdc3fdec9dff

SHA1
9f38d7cf6241d867da58f89db9ff26544314b938

SHA256
42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

SHA512
bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

Download Submit
\Users\Admin\AppData\Local\Temp\Tornado_4u.exe

Filesize
788KB

MD5
2069adc512cfa4dbeb5d4ee14a6c6a8b

SHA1
713501f7406d001178e5bfba099a808fa1472f9c

SHA256
0710c8cfe8e1d852ca01064395f647609bc15fbd313c2e3cd93bfcdfeb653f76

SHA512
d459668c5f660860055f673da44bdbc5f77e3abd09da671702cc532d4d0a1a247a0c2b844cb94f60c2fdc04cbda778ed6f4e2f92da5ae56beb927fd774364dcc

Download Submit
\Users\Admin\AppData\Local\Temp\Tornado_4u.exe

Filesize
788KB

MD5
2069adc512cfa4dbeb5d4ee14a6c6a8b

SHA1
713501f7406d001178e5bfba099a808fa1472f9c

SHA256
0710c8cfe8e1d852ca01064395f647609bc15fbd313c2e3cd93bfcdfeb653f76

SHA512
d459668c5f660860055f673da44bdbc5f77e3abd09da671702cc532d4d0a1a247a0c2b844cb94f60c2fdc04cbda778ed6f4e2f92da5ae56beb927fd774364dcc

Download Submit
\Windows\SysWOW64\KXYTFV\XJV.001

Filesize
61KB

MD5
31c866d8e4448c28ae63660a0521cd92

SHA1
0e4dcb44e3c8589688b8eacdd8cc463a920baab9

SHA256
dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

SHA512
1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

Download Submit
\Windows\SysWOW64\KXYTFV\XJV.001

Filesize
61KB

MD5
31c866d8e4448c28ae63660a0521cd92

SHA1
0e4dcb44e3c8589688b8eacdd8cc463a920baab9

SHA256
dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

SHA512
1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

Download Submit
\Windows\SysWOW64\KXYTFV\XJV.exe

Filesize
1.5MB

MD5
0aaffc12ef1b416b9276bdc3fdec9dff

SHA1
9f38d7cf6241d867da58f89db9ff26544314b938

SHA256
42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

SHA512
bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

Download Submit
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1936-72-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/1936-80-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-73-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-74-0x00000000024A0000-0x00000000025A0000-memory.dmp

Filesize
1024KB

Download
memory/1936-75-0x00000000022B0000-0x0000000002430000-memory.dmp

Filesize
1.5MB

Download
memory/1936-76-0x00000000025A0000-0x0000000002630000-memory.dmp

Filesize
576KB

Download
memory/1936-78-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-79-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-71-0x0000000000130000-0x000000000016E000-memory.dmp

Filesize
248KB

Download
memory/1936-81-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-82-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-83-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-84-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-85-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-86-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-87-0x0000000000BB0000-0x0000000000BB3000-memory.dmp

Filesize
12KB

Download
memory/1936-88-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/1936-89-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1936-90-0x0000000000130000-0x000000000016E000-memory.dmp

Filesize
248KB

Download