Malware Analysis Report

2024-10-18 23:04

Sample ID 240116-td3ksafdb2
Target 60493e4baeaf8131d56d7525ffff4e52
SHA256 7bf0f392e1f5a8793eda00b5175adb26f762e30824d1a4c52390693142f5f9cd
Tags
ardamax discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bf0f392e1f5a8793eda00b5175adb26f762e30824d1a4c52390693142f5f9cd

Threat Level: Known bad

The file 60493e4baeaf8131d56d7525ffff4e52 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger stealer

Ardamax

Ardamax main executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-16 15:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-16 15:57

Reported

2024-01-16 15:59

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\auto logg on.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Sys32\BQXP.exe C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A
File opened for modification C:\Windows\SysWOW64\Sys32 C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
File opened for modification C:\Windows\SysWOW64\Sys32\config.ini C:\Users\Admin\AppData\Local\Temp\auto logg on.exe N/A
File created C:\Windows\SysWOW64\Sys32\BQXP.001 C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A
File created C:\Windows\SysWOW64\Sys32\BQXP.006 C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A
File created C:\Windows\SysWOW64\Sys32\BQXP.007 C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe

"C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe"

C:\Windows\SysWOW64\Sys32\BQXP.exe

"C:\Windows\system32\Sys32\BQXP.exe"

C:\Users\Admin\AppData\Local\Temp\auto logg on.exe

"C:\Users\Admin\AppData\Local\Temp\auto logg on.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@424E.tmp

MD5 2bbb6ffc878515a79478917c5af03a9c
SHA1 52532ea393f3a623c05b2cd72a205da41f152c29
SHA256 23c8cc69783ab663e036fb0d15c01b3863ff898d5534fa1d02f16c291863f3a5
SHA512 be8846674af43f20501e6fe59fbd369d7393e79970ab1a4fc7c516c491939f575c5e07a1cd284287e8663d1ca2f4e6663839a79f798a7453ecd30bb0fbdcc464

\Windows\SysWOW64\Sys32\BQXP.exe

MD5 db4d88b22f173a37c34477abeea6a789
SHA1 11c42d2d445c01a408ad947d48927fe2b370aa8c
SHA256 251cd62057ee822ad0139fddadd88945ef0951af715eea17ac5faa4b25e17a55
SHA512 67501ecf3b474536c3ae0cf68d49672b108b3b509a229f2a8bd4126e2f67228c93e2bbb78379de7dac3bbff6f7495d1d1aeffebb3fa5f8c7a0e29eaac4bce23e

C:\Windows\SysWOW64\Sys32\BQXP.006

MD5 a08026db7b86f2ba69f6317a4a66778b
SHA1 6afe5979a1ef3ee8b94b6ef4a6bf8a70d641bf62
SHA256 90c1300aaa05d24a32f9d01824c611742a10c2bb3e0450504b62282ab658e2f5
SHA512 059d6abdb37800f7673d116a0e9a4d2f3e8e7d955a402ef91ca97cf24f3c29121dc36c54599511ac0e04cd2b1467e30fb7b2563e42e2fe43e71560816902207e

C:\Windows\SysWOW64\Sys32\BQXP.007

MD5 49e240cd2e8fe880e177e208aaf8feea
SHA1 54e9ee5a7523148542113ee654f00ea13d3ca3d7
SHA256 f1b86ba7a2c3aa753966cc67bc5efb4e4badb670b6a0e56ffcfdcbbc379108fc
SHA512 e92efd1d0ab3249d6c93b32af0885e22726421055bff36dcf64d307ef2f8aaf2dd06c221342bd5e2a1fadb5d61ac284cd39750cdf1134fd530ba9ff1744d965f

C:\Windows\SysWOW64\Sys32\BQXP.001

MD5 01e7a23e106468c1552141d071c0d48b
SHA1 f44fa04be73a50c7291ae75d0bcbeb60f43248e2
SHA256 20d517bddb6fc2c92f702d5b96e6a906fc8d22d72ead84a7fc2b47e1c894f24f
SHA512 1e1bbceef10938f31a70f907ac46ad487d4db6812fe3a8857cc1e0ba8e9fadc9e22084188b09839c0aee0096d9cf39f0a2c52191fda3238482eefb27a2a0e882

memory/2656-21-0x0000000000250000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Local\Temp\auto logg on.exe

MD5 1a662c851cf2e9390e3e87d8ec3c549e
SHA1 7828d5f4d109d92ef5c6368dd918bdce64bb3fab
SHA256 ce0a722634a28b05e6fd3e15f87bedcd6d6e7e107b0fd5e4ffa7dc89bc0dd4e6
SHA512 1192a4c488b02e17d470781d8a92210291013c1b3ac8baa3ee51f53efd18db7049d4aa46860aa33ca37eaf45df8e98a2aeae76e6c720de9898a8e22fdee75618

memory/2712-36-0x0000000077BDF000-0x0000000077BE0000-memory.dmp

memory/2656-37-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-16 15:57

Reported

2024-01-16 16:00

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\auto logg on.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Sys32\BQXP.001 C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A
File created C:\Windows\SysWOW64\Sys32\BQXP.006 C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A
File created C:\Windows\SysWOW64\Sys32\BQXP.007 C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A
File created C:\Windows\SysWOW64\Sys32\BQXP.exe C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe N/A
File opened for modification C:\Windows\SysWOW64\Sys32\config.ini C:\Users\Admin\AppData\Local\Temp\auto logg on.exe N/A
File opened for modification C:\Windows\SysWOW64\Sys32 C:\Windows\SysWOW64\Sys32\BQXP.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\BQXP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe

"C:\Users\Admin\AppData\Local\Temp\60493e4baeaf8131d56d7525ffff4e52.exe"

C:\Windows\SysWOW64\Sys32\BQXP.exe

"C:\Windows\system32\Sys32\BQXP.exe"

C:\Users\Admin\AppData\Local\Temp\auto logg on.exe

"C:\Users\Admin\AppData\Local\Temp\auto logg on.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@8770.tmp

MD5 2bbb6ffc878515a79478917c5af03a9c
SHA1 52532ea393f3a623c05b2cd72a205da41f152c29
SHA256 23c8cc69783ab663e036fb0d15c01b3863ff898d5534fa1d02f16c291863f3a5
SHA512 be8846674af43f20501e6fe59fbd369d7393e79970ab1a4fc7c516c491939f575c5e07a1cd284287e8663d1ca2f4e6663839a79f798a7453ecd30bb0fbdcc464

C:\Windows\SysWOW64\Sys32\BQXP.exe

MD5 db4d88b22f173a37c34477abeea6a789
SHA1 11c42d2d445c01a408ad947d48927fe2b370aa8c
SHA256 251cd62057ee822ad0139fddadd88945ef0951af715eea17ac5faa4b25e17a55
SHA512 67501ecf3b474536c3ae0cf68d49672b108b3b509a229f2a8bd4126e2f67228c93e2bbb78379de7dac3bbff6f7495d1d1aeffebb3fa5f8c7a0e29eaac4bce23e

C:\Users\Admin\AppData\Local\Temp\auto logg on.exe

MD5 1a662c851cf2e9390e3e87d8ec3c549e
SHA1 7828d5f4d109d92ef5c6368dd918bdce64bb3fab
SHA256 ce0a722634a28b05e6fd3e15f87bedcd6d6e7e107b0fd5e4ffa7dc89bc0dd4e6
SHA512 1192a4c488b02e17d470781d8a92210291013c1b3ac8baa3ee51f53efd18db7049d4aa46860aa33ca37eaf45df8e98a2aeae76e6c720de9898a8e22fdee75618

C:\Windows\SysWOW64\Sys32\BQXP.007

MD5 49e240cd2e8fe880e177e208aaf8feea
SHA1 54e9ee5a7523148542113ee654f00ea13d3ca3d7
SHA256 f1b86ba7a2c3aa753966cc67bc5efb4e4badb670b6a0e56ffcfdcbbc379108fc
SHA512 e92efd1d0ab3249d6c93b32af0885e22726421055bff36dcf64d307ef2f8aaf2dd06c221342bd5e2a1fadb5d61ac284cd39750cdf1134fd530ba9ff1744d965f

memory/2976-29-0x0000000000A60000-0x0000000000A61000-memory.dmp

C:\Windows\SysWOW64\Sys32\BQXP.006

MD5 a08026db7b86f2ba69f6317a4a66778b
SHA1 6afe5979a1ef3ee8b94b6ef4a6bf8a70d641bf62
SHA256 90c1300aaa05d24a32f9d01824c611742a10c2bb3e0450504b62282ab658e2f5
SHA512 059d6abdb37800f7673d116a0e9a4d2f3e8e7d955a402ef91ca97cf24f3c29121dc36c54599511ac0e04cd2b1467e30fb7b2563e42e2fe43e71560816902207e

C:\Windows\SysWOW64\Sys32\BQXP.001

MD5 01e7a23e106468c1552141d071c0d48b
SHA1 f44fa04be73a50c7291ae75d0bcbeb60f43248e2
SHA256 20d517bddb6fc2c92f702d5b96e6a906fc8d22d72ead84a7fc2b47e1c894f24f
SHA512 1e1bbceef10938f31a70f907ac46ad487d4db6812fe3a8857cc1e0ba8e9fadc9e22084188b09839c0aee0096d9cf39f0a2c52191fda3238482eefb27a2a0e882

memory/2976-38-0x0000000000A60000-0x0000000000A61000-memory.dmp