ardamax | 34797200cccc0cade8ee978bad1bc01180476575bc8793827eca3e75a8dd4fbf

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 23:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Sro Pet Filter .exe
Size

1.1MB
MD5

812a0b8c11d100bdf10cf06d7b2e7842
SHA1

43404bb678a9b83112c019355a33833f1cc76abd
SHA256

c0a740688c19986853e92544d1b76e8e98f0c53da8e3aa37ccb89e559cae3bb4
SHA512

e7c068e46d23487f97b1dbfa597aebb9e01cb20dc800ea1cbeb4239800dc8d07efb91a8ea86b269fc28d4731b51d525d5f0ea6143aa20d8c22f22173aa28fd0c
SSDEEP

24576:CS/6JDU1ruPvqcGEAXK9PASGuEsavOX9y+1Nwc9sQQsmH/:CS841rAvKK+tuEs9tyUgsmH/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016bfb-9.dat	family_ardamax
behavioral1/files/0x0009000000016bfb-11.dat	family_ardamax
behavioral1/files/0x0009000000016bfb-13.dat	family_ardamax
behavioral1/files/0x0009000000016bfb-15.dat	family_ardamax
behavioral1/files/0x0009000000016bfb-22.dat	family_ardamax

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 2 IoCs

pid	Process
2192	GLUW.exe
2548	SRO Pet Filter.exe

Loads dropped DLL 10 IoCs

pid	Process
2076	Sro Pet Filter .exe
2076	Sro Pet Filter .exe
2076	Sro Pet Filter .exe
2192	GLUW.exe
2076	Sro Pet Filter .exe
2192	GLUW.exe
2076	Sro Pet Filter .exe
2076	Sro Pet Filter .exe
2548	SRO Pet Filter.exe
2548	SRO Pet Filter.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GLUW Agent = "C:\\Windows\\SysWOW64\\Sys32\\GLUW.exe"	GLUW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\GLUW.007	Sro Pet Filter .exe
File created	C:\Windows\SysWOW64\Sys32\GLUW.exe	Sro Pet Filter .exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	Sro Pet Filter .exe
File opened for modification	C:\Windows\SysWOW64\Sys32	GLUW.exe
File created	C:\Windows\SysWOW64\Sys32\GLUW.001	Sro Pet Filter .exe
File created	C:\Windows\SysWOW64\Sys32\GLUW.006	Sro Pet Filter .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2192	GLUW.exe
Token: SeIncBasePriorityPrivilege	2192	GLUW.exe
Token: SeDebugPrivilege	2548	SRO Pet Filter.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2548	SRO Pet Filter.exe
2548	SRO Pet Filter.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2548	SRO Pet Filter.exe
2548	SRO Pet Filter.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2192	GLUW.exe
2192	GLUW.exe
2192	GLUW.exe
2192	GLUW.exe
2192	GLUW.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2192	2076	Sro Pet Filter .exe	28
PID 2076 wrote to memory of 2192	2076	Sro Pet Filter .exe	28
PID 2076 wrote to memory of 2192	2076	Sro Pet Filter .exe	28
PID 2076 wrote to memory of 2192	2076	Sro Pet Filter .exe	28
PID 2076 wrote to memory of 2548	2076	Sro Pet Filter .exe	29
PID 2076 wrote to memory of 2548	2076	Sro Pet Filter .exe	29
PID 2076 wrote to memory of 2548	2076	Sro Pet Filter .exe	29
PID 2076 wrote to memory of 2548	2076	Sro Pet Filter .exe	29

C:\Users\Admin\AppData\Local\Temp\Sro Pet Filter .exe
"C:\Users\Admin\AppData\Local\Temp\Sro Pet Filter .exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\Sys32\GLUW.exe
  "C:\Windows\system32\Sys32\GLUW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\SRO Pet Filter.exe
  "C:\Users\Admin\AppData\Local\Temp\SRO Pet Filter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SRO Pet Filter.exe

Filesize
197KB

MD5
991c8e08bd7756952869483db3ce173b

SHA1
8b41facdea222c2269d65f224382b849dca02cec

SHA256
18928fc834d7e268885054b6801b1401ef1d959f73d01d2ca063eee2a73ae232

SHA512
f76bd678632c6d60b1fa5b46b7e476c9eca58c9ae85e3fad71e4f8e62dbcac4af217d840e43eea08ea2d7d7c87cb7de16c9a89c7f62ed15e9a584aef38360574

Download Submit
C:\Users\Admin\AppData\Local\Temp\SRO Pet Filter.exe

Filesize
163KB

MD5
02725e54879401bcacf4ddd7a0f86c8c

SHA1
1772b424db3f3b97b8136f5277a4899e9618e78a

SHA256
8af6f245a83dbfae075c67664b147ccef4b47f7a06e355bf223e93f92ef60815

SHA512
ff5e80a607010a023a0979f7d7213fa02bbbf43711d23b79401b5466c58b24b2901c6fbeff8eef9a1ab26174f48596bdc60cad35e59eb8351dc92d75da2bac95

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
374KB

MD5
3c5e120bbcf690b9589663e85f562227

SHA1
d46fb68ff82ce127cf3e2fe70cc0f762e6bd60fa

SHA256
f8a3eba772021d36a823651a4130b3666f21cb772117874d4736a21322e1ad26

SHA512
6503920f438a82bd55d7a04422434f1861ff1aefb84b9c6f507f137a7573df578e1fa886de65474166f7e4cd31fc086bceea005d28caf5289796c18fd1215ed4

Download Submit
C:\Windows\SysWOW64\Sys32\GLUW.001

Filesize
378B

MD5
59cbd67b1b5822e7fc2310369c3da461

SHA1
71602325f6b32f3e4d5882b0b1c61598ab64dad7

SHA256
da350c7ee04088166a1775276a9f7107b9fbf51206225fecb6610cbd5f5c61ad

SHA512
f7f609c8a6508a646444911843094f44ca35fbfe8c75c8851ceb635fec9a22a9ebf2c7d7492941e14674107682fe2eee6cb0b6eb35e42084f9c136664a13cfd0

Download Submit
C:\Windows\SysWOW64\Sys32\GLUW.007

Filesize
5KB

MD5
3e1f5d5a06cf97b0495b8d129fbe02e4

SHA1
b0de258a813f5edde85004f6865b6ed91f6d6f8f

SHA256
f49448fc7c567e64eaeb9cc4dbd3c8021a82b5d9df0a622a439f7b42dc2f26d7

SHA512
b0e0b81cb5776d298e96346aa61027c9799a47191c94de50be2209c32747774959d002ddeb98fd15556ee893b0d7bd1f0c8a901469dce4e3acf94e2c4c3e2bfd

Download Submit
C:\Windows\SysWOW64\Sys32\GLUW.exe

Filesize
99KB

MD5
f18c4f58b281e1bb09de93fce36325eb

SHA1
d03693d631863fbc18a094da81b805c2559a5cb9

SHA256
b4fea6b97d00690e8265ab8d624d9f9fc338bfd61b25905941dcb65467ae1da3

SHA512
1913358d9976cdea190b95a0df37c309809eb7438da28b5f63b0576e3ea6734fea49884b8661fd3bf2feec53b1366ea87170cb5af5b868b47566c50d88e938fd

Download Submit
C:\Windows\SysWOW64\Sys32\GLUW.exe

Filesize
112KB

MD5
a7dc43fe0ae3f648866069d790b57948

SHA1
10460768cd36c90a53c8b8a0c4a94ede0321aaff

SHA256
9e22b0634099161b0e8ff13daf607c7f4ea93c6f4e62358bf4509770f6fb6563

SHA512
bac8e33cc43946fd6495b66a44905a69163993439a6f7c305162f0dab5c022f46056ecfad991f5643444846e3fe46cf82cf9f6936ed190e84bde25b7481172cc

Download Submit
C:\Windows\SysWOW64\Sys32\GLUW.exe

Filesize
128KB

MD5
ca939253a3ea97aa5d913ae381be8912

SHA1
b5a70c83dc90d589ed3147a107e10b1878f716f5

SHA256
a62981c1a4f9ceb6d31f0760649142bf65cfe9ee2c43983c52e4d8cb1b415df7

SHA512
a58d2bb26f095a133ae6652c5d226bce16ecdae2f8cd7599542b520252002adebd90ef520706999e9b915272ef9a7dd5bc8339e633d16900b9ac096cb832a919

Download Submit
\Users\Admin\AppData\Local\Temp\@13CF.tmp

Filesize
4KB

MD5
33303ca8abef9221cb410b8a232e9fe4

SHA1
0cdfc25dbf0e9ad7d4585cd9037dc2e6604be00c

SHA256
5110301dee966f0f26307ab1b430279d1e4999c2c4a0ea924ff32f1a9ded869a

SHA512
da29821045773ba776def985966b62e09e69bb5bf1786b16c2fff6feb68a03b9e22c5f7d081e3dd58d1785cd7ac64736497c043b7cf6c7149c3a54f8ef111800

Download Submit
\Users\Admin\AppData\Local\Temp\SRO Pet Filter.exe

Filesize
218KB

MD5
2042d4096e64ca37b21ba0a96820ec2c

SHA1
2044b60afa142f1a650b70cea237970f4909e852

SHA256
edae9bbc97b35d6af8855e742045a6e15adc404e0550248daa419d893d1b7803

SHA512
d3334e782248f46e21fbbc639359d7081bb55476e004a10aefbc074de6978bf116454d0513cd99f53425950faa210b9e002741a8e40d6c5e0eac3631d4a1417b

Download Submit
\Windows\SysWOW64\Sys32\GLUW.006

Filesize
7KB

MD5
928cc65dc793834c709a054ca57c19c8

SHA1
a1e5d8407199c1bd6a4b274044de640fe0d9e99b

SHA256
e3473d81a02ed30e4236591384136f41f17b6a4aae24b5468789644ccd4bf192

SHA512
f7c8f7a75c4f8a418630e2ac15676740a902449d9a3c4baf3184409f8701c9caa3e82304d141362d95503f1af6b693eed7b77f690d92ca0162f7ea3ecbc80fdf

Download Submit
\Windows\SysWOW64\Sys32\GLUW.exe

Filesize
423KB

MD5
9ff786016fa32692c3dc0a4e9f683b54

SHA1
9f23616936529daa660f7fab2befd769f484895e

SHA256
fb261748471c12009c6eb99f68e23958aa9654317ec563bd9ae838adc9477c42

SHA512
d704afc9b8e7f5917158833035735eb60e71f86ee3badf67d90e185278f6aa2e5be692a91b37bdb35d5436bca117cea31c772dee2bd2dae8dfbee49338a2e97c

Download Submit
\Windows\SysWOW64\Sys32\GLUW.exe

Filesize
476KB

MD5
ef52b540cb404d908338e9cbf7cff283

SHA1
778765e1736c0a197685978c3fee7a44e7bde419

SHA256
39d8bdb975fbfcbcec8fe63be4e9fe6ce39ae5d23a005118aeffa07b17a3f815

SHA512
596b77bf5b15455c326a5a2efd66bc69685eb625e3e211ea0341ad4d8920ada7618a7107e42f2c0963fe6c2d92f2acf47b641ef33071a7c42004e5874d5219a6

Download Submit
memory/2192-1614-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2192-23-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2548-99-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-79-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-55-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-63-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-77-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-81-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-85-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-103-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-101-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-115-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-113-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-111-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-109-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-107-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-105-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-50-0x0000000076F2F000-0x0000000076F30000-memory.dmp

Filesize
4KB

Download
memory/2548-97-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-95-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-93-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-91-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-89-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-87-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-83-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-49-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-75-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-73-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-71-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-69-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-67-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-65-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-61-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-59-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-57-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-53-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-52-0x0000000000800000-0x000000000089C000-memory.dmp

Filesize
624KB

Download
memory/2548-43-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2548-42-0x0000000074D90000-0x0000000074EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2548-51-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/2548-48-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-44-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2548-45-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2548-1619-0x0000000076F2F000-0x0000000076F30000-memory.dmp

Filesize
4KB

Download
memory/2548-1620-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-1618-0x0000000073B20000-0x00000000740CB000-memory.dmp

Filesize
5.7MB

Download
memory/2548-1617-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2548-1616-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2548-1615-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2548-1624-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads