ardamax | cab442620da60810693db1b7b638872e8b9c6d6da95a47e4720f6992b2859e98

General

Target

7be3ff55bf3bb39b132474013d0d9b89.exe
Size

504KB
MD5

7be3ff55bf3bb39b132474013d0d9b89
SHA1

ef45a43e3436f48bb6273b005778448d62c17ffa
SHA256

cab442620da60810693db1b7b638872e8b9c6d6da95a47e4720f6992b2859e98
SHA512

c7b3f93297a3c1034bcb2d8fe3962746289853c196d56866b7e1d67e56d5870a8935a373acaeb1694a3ca67f0fa333cb7966eb4d4c8e6358cd2213ff03d85bde
SSDEEP

12288:8nQeD68whMUVzfb3vsw4qbByUPv3pCwxMdARNNDd/cB:tvMSfsw4sNX3LydSDdcB

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016be2-13.dat	family_ardamax
behavioral1/files/0x0008000000016be2-11.dat	family_ardamax
behavioral1/files/0x0008000000016be2-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2192	PHXN.exe

Loads dropped DLL 5 IoCs

pid	Process
1068	7be3ff55bf3bb39b132474013d0d9b89.exe
1068	7be3ff55bf3bb39b132474013d0d9b89.exe
1068	7be3ff55bf3bb39b132474013d0d9b89.exe
2192	PHXN.exe
2192	PHXN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PHXN Agent = "C:\\Windows\\SysWOW64\\Sys32\\PHXN.exe"	PHXN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\PHXN.001	7be3ff55bf3bb39b132474013d0d9b89.exe
File created	C:\Windows\SysWOW64\Sys32\PHXN.006	7be3ff55bf3bb39b132474013d0d9b89.exe
File created	C:\Windows\SysWOW64\Sys32\PHXN.007	7be3ff55bf3bb39b132474013d0d9b89.exe
File created	C:\Windows\SysWOW64\Sys32\PHXN.exe	7be3ff55bf3bb39b132474013d0d9b89.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	7be3ff55bf3bb39b132474013d0d9b89.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	PHXN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2192	PHXN.exe
Token: SeIncBasePriorityPrivilege	2192	PHXN.exe
Token: SeIncBasePriorityPrivilege	2192	PHXN.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2192	PHXN.exe
2192	PHXN.exe
2192	PHXN.exe
2192	PHXN.exe
2192	PHXN.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2192	1068	7be3ff55bf3bb39b132474013d0d9b89.exe	16
PID 1068 wrote to memory of 2192	1068	7be3ff55bf3bb39b132474013d0d9b89.exe	16
PID 1068 wrote to memory of 2192	1068	7be3ff55bf3bb39b132474013d0d9b89.exe	16
PID 1068 wrote to memory of 2192	1068	7be3ff55bf3bb39b132474013d0d9b89.exe	16
PID 2192 wrote to memory of 3036	2192	PHXN.exe	31
PID 2192 wrote to memory of 3036	2192	PHXN.exe	31
PID 2192 wrote to memory of 3036	2192	PHXN.exe	31
PID 2192 wrote to memory of 3036	2192	PHXN.exe	31

C:\Users\Admin\AppData\Local\Temp\7be3ff55bf3bb39b132474013d0d9b89.exe
"C:\Users\Admin\AppData\Local\Temp\7be3ff55bf3bb39b132474013d0d9b89.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\Sys32\PHXN.exe
  "C:\Windows\system32\Sys32\PHXN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\PHXN.exe > nul
    3⤵
    PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
11KB

MD5
d2439fb1218762554d80038c17946c3f

SHA1
73157ebc56db2adf770ab07ee49bfb5fbc5df146

SHA256
9bca74464c3bdccc962ed2d68e1967aa143ace4a645cd09aea77f5309f6a809a

SHA512
e25c5b3c7284789de322ff31b18479d15bff1ec4e12df10154382503e89ca0ff6fd044a62226dd8e8f48db40010449fe42f0ba9a92a2ba691cf0fbedda92a4db

Download Submit
C:\Windows\SysWOW64\Sys32\PHXN.001

Filesize
472B

MD5
83d4cb4598904d247334514811f073a8

SHA1
3e4f7c865679273154722bfec528becd38204dad

SHA256
6b6e2e5d483044e972a452dfaa9009fafa13f465d43ad612060b616112ab801f

SHA512
8ea7c633d39e82003c9902c05fa92d49f7c711294d3b709110ccc8006d534e11cc9a5deed09e77db2109831cbb9b94d40033b5e59f366ddf4dabdc81f51ef173

Download Submit
C:\Windows\SysWOW64\Sys32\PHXN.exe

Filesize
31KB

MD5
cffd0df0d08b728f60f108c3a2ebce81

SHA1
de6bb2df81d180c71b6c46eefc0e506a613afffa

SHA256
276619daebda11db915fca3dc4ebbf6c42c58402ed22582130de93458a3ac97f

SHA512
cb3e1687a3a61c220a3d463431a0ff00fb6e3b7d98355299376d2cc5b1f54573feefc2af98a6e4275574cb07db9e5f392481e2b142e17fc8e6fd06c1aa981b6c

Download Submit
\Users\Admin\AppData\Local\Temp\@146B.tmp

Filesize
4KB

MD5
c5c306d45c5b88d004a071941b12b030

SHA1
fcdd3d742203743514f195d6d1060a8475036632

SHA256
2e6181885f8cb215a7291d556100636a7fd2b409cb6df1f65f6c61d058521ec8

SHA512
fdc66e8a5338e60adda51b21bfc5a40b86293d16c5492c82cdbce3cf4f9743c8b49f5e2e4d31c5b827c50c257a08c6dc57d3266ae3eac60ac46ad14684802738

Download Submit
\Windows\SysWOW64\Sys32\PHXN.exe

Filesize
28KB

MD5
2409cde6d00c630b0992a1571194b22e

SHA1
0d6c90fe818a6d48da68c752bce57699e2dc308b

SHA256
84bcd15969dea218a0231344776596a3db0af19dac37145a558c0bf6dfbf4fbc

SHA512
83cfd9475493c3462da60c780e35fc5f0930ed7d551f438c646b915a17a2a6815426d30852a6f71f29879327ba7374f9cd69f80f4a935c153a62134e542c658f

Download Submit
\Windows\SysWOW64\Sys32\PHXN.exe

Filesize
37KB

MD5
27d1e2bebddb066bb145b96588b9f37b

SHA1
1d6e1b45e2beb98fcb5086e5f43056f36e9e5d51

SHA256
4b5c76395c9ca3e855a4888e983fcc93d59d8976edb40cc8a0f52215960c4dff

SHA512
63224415a233570b9eb6291b027495184f0c352a2d9b30933dc171df5285a94989094ba8e1f8fe446c299c1f8f12a3a970a9699c85c033bfa30d36253eb847ae

Download Submit
memory/2192-24-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads