ardamax | cab442620da60810693db1b7b638872e8b9c6d6da95a47e4720f6992b2859e98

General

Target

7be3ff55bf3bb39b132474013d0d9b89.exe
Size

504KB
MD5

7be3ff55bf3bb39b132474013d0d9b89
SHA1

ef45a43e3436f48bb6273b005778448d62c17ffa
SHA256

cab442620da60810693db1b7b638872e8b9c6d6da95a47e4720f6992b2859e98
SHA512

c7b3f93297a3c1034bcb2d8fe3962746289853c196d56866b7e1d67e56d5870a8935a373acaeb1694a3ca67f0fa333cb7966eb4d4c8e6358cd2213ff03d85bde
SSDEEP

12288:8nQeD68whMUVzfb3vsw4qbByUPv3pCwxMdARNNDd/cB:tvMSfsw4sNX3LydSDdcB

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 3 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023200-12.dat	family_ardamax
behavioral2/files/0x0006000000023200-15.dat	family_ardamax
behavioral2/files/0x0006000000023200-14.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	7be3ff55bf3bb39b132474013d0d9b89.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	PHXN.exe

Executes dropped EXE 1 IoCs

pid	Process
3140	PHXN.exe

Loads dropped DLL 5 IoCs

pid	Process
2248	7be3ff55bf3bb39b132474013d0d9b89.exe
3140	PHXN.exe
3140	PHXN.exe
3140	PHXN.exe
2104	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PHXN Agent = "C:\\Windows\\SysWOW64\\Sys32\\PHXN.exe"	PHXN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys32\PHXN.001	7be3ff55bf3bb39b132474013d0d9b89.exe
File created	C:\Windows\SysWOW64\Sys32\PHXN.006	7be3ff55bf3bb39b132474013d0d9b89.exe
File created	C:\Windows\SysWOW64\Sys32\PHXN.007	7be3ff55bf3bb39b132474013d0d9b89.exe
File created	C:\Windows\SysWOW64\Sys32\PHXN.exe	7be3ff55bf3bb39b132474013d0d9b89.exe
File created	C:\Windows\SysWOW64\Sys32\AKV.exe	7be3ff55bf3bb39b132474013d0d9b89.exe
File opened for modification	C:\Windows\SysWOW64\Sys32	PHXN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2104	3140	WerFault.exe	92

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	3140	PHXN.exe
Token: SeIncBasePriorityPrivilege	3140	PHXN.exe
Token: SeIncBasePriorityPrivilege	3140	PHXN.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3140	PHXN.exe
3140	PHXN.exe
3140	PHXN.exe
3140	PHXN.exe
3140	PHXN.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 3140	2248	7be3ff55bf3bb39b132474013d0d9b89.exe	92
PID 2248 wrote to memory of 3140	2248	7be3ff55bf3bb39b132474013d0d9b89.exe	92
PID 2248 wrote to memory of 3140	2248	7be3ff55bf3bb39b132474013d0d9b89.exe	92
PID 3140 wrote to memory of 3784	3140	PHXN.exe	108
PID 3140 wrote to memory of 3784	3140	PHXN.exe	108
PID 3140 wrote to memory of 3784	3140	PHXN.exe	108

C:\Users\Admin\AppData\Local\Temp\7be3ff55bf3bb39b132474013d0d9b89.exe
"C:\Users\Admin\AppData\Local\Temp\7be3ff55bf3bb39b132474013d0d9b89.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\Sys32\PHXN.exe
  "C:\Windows\system32\Sys32\PHXN.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1116
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys32\PHXN.exe > nul
    3⤵
    PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3140 -ip 3140
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8F9D.tmp

Filesize
4KB

MD5
c5c306d45c5b88d004a071941b12b030

SHA1
fcdd3d742203743514f195d6d1060a8475036632

SHA256
2e6181885f8cb215a7291d556100636a7fd2b409cb6df1f65f6c61d058521ec8

SHA512
fdc66e8a5338e60adda51b21bfc5a40b86293d16c5492c82cdbce3cf4f9743c8b49f5e2e4d31c5b827c50c257a08c6dc57d3266ae3eac60ac46ad14684802738

Download Submit
C:\Windows\SysWOW64\Sys32\AKV.exe

Filesize
183KB

MD5
786cdc8229ff24871939be3848b2049a

SHA1
457962c734d117c74578933c46d11f42dc588a3b

SHA256
6983aab27e0d1973152465bdc01dd47f46618be46f36c5173994c788544c3dc8

SHA512
3bc03bd3632c33e1bab63338a551137404c8ba95199b9049d469c8af0fd57d3565e32527e58b0bb66c96724d5f065a29ae36374b4d1a8c2bd926a055169bc450

Download Submit
C:\Windows\SysWOW64\Sys32\PHXN.001

Filesize
472B

MD5
83d4cb4598904d247334514811f073a8

SHA1
3e4f7c865679273154722bfec528becd38204dad

SHA256
6b6e2e5d483044e972a452dfaa9009fafa13f465d43ad612060b616112ab801f

SHA512
8ea7c633d39e82003c9902c05fa92d49f7c711294d3b709110ccc8006d534e11cc9a5deed09e77db2109831cbb9b94d40033b5e59f366ddf4dabdc81f51ef173

Download Submit
C:\Windows\SysWOW64\Sys32\PHXN.006

Filesize
7KB

MD5
8f7b2a047e21e5168021c6b6c74b43d5

SHA1
86d6497fa6bfbc8d889479da1180d1b81c6dcf1c

SHA256
d18a1d8bd7bca221016a415a55034e6d47231b5561f3ecf4022c3caea52c00e8

SHA512
a15f0a4280b80db35e99b0a4c8e17fc63f49713b73fbd195ea2b5304bceb733cbfcf6673410dea2c6b83d617f8562fa18dd95574875caac71f81649fc95d2fd7

Download Submit
C:\Windows\SysWOW64\Sys32\PHXN.007

Filesize
5KB

MD5
aef6e96d082b935073a8ae15ba537f63

SHA1
704af73246a277c552c3ed2f859a227413de1b31

SHA256
75e8ce0baa4ccc7249d3d8a594d55744dfb6b6d0d9c272903ba8285ac504ef06

SHA512
a14c6de30455112aa8c8489ad080822f52554e4da087861cc49723e2f24f5bc292723cd5c129cb79fa13534f510a47e7e81173066633cf3716d983f951fc1955

Download Submit
C:\Windows\SysWOW64\Sys32\PHXN.exe

Filesize
110KB

MD5
dbfe00ae2dd911c42aecc41d6d0a2a2f

SHA1
a7356c304f43fd8ae7d1f6d3754d3452e99771a4

SHA256
c79b73898d223ad297c6f5a9dd25c9588b1eea787bf879dd6c03155f606d585c

SHA512
dc4860da4444706bd5b9b688fb5379a227c8b6143cd4ae7dbe8a389d7f1caae24e3e2656471042f90a04c038396eb58ab0bf394866fa54c7f84d24da090e977b

Download Submit
C:\Windows\SysWOW64\Sys32\PHXN.exe

Filesize
188KB

MD5
8a34ac7c468a12f28ccef2e8ec29433a

SHA1
536722ff087c8c4af805f7282f329edc2fc204f0

SHA256
17d592eff795eda3e9a24bcd0fdb76c0977200ee424d823efe74a0e367bef291

SHA512
4ad762aa8094f291ca06a976d112a8d26910654876f1c3e1794b7b3c32eb0f399ee347e94e41380870c63b60fd183726dced70f3d1708657420affe2ebdb7ed0

Download Submit
C:\Windows\SysWOW64\Sys32\PHXN.exe

Filesize
302KB

MD5
8b83b07e4a59db66a243eed2eae9f149

SHA1
bd19f48e7b820cb01bb9c37d82904c882854dd58

SHA256
0a201c9d631911181fb8a6855257664737de0a40a90f0490f18ac3bca973587b

SHA512
c6c215fa99432ec13f9ad962194aae8ad29bdc414c0530a515de392091869e1c43abdefa9e11dcca7cde28e44a03431ad2ee40a70e32607eb34c04801cfe0ee7

Download Submit
memory/3140-23-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3140-27-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads