Malware Analysis Report

2024-10-18 23:04

Sample ID 240117-cdnceseffk
Target 617207e22b773248ac162d3c731d92e2
SHA256 16d81008d16cebf0bf85757b1e7789e3783584be97ddbbb3d7347323bffe91d7
Tags
ardamax keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16d81008d16cebf0bf85757b1e7789e3783584be97ddbbb3d7347323bffe91d7

Threat Level: Known bad

The file 617207e22b773248ac162d3c731d92e2 was found to be: Known bad.

Malicious Activity Summary

ardamax keylogger persistence stealer

Ardamax

Ardamax main executable

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-17 01:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-17 01:57

Reported

2024-01-17 02:00

Platform

win7-20231129-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\AWPB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AWPB Agent = "C:\\Windows\\SysWOW64\\28463\\AWPB.exe" C:\Windows\SysWOW64\28463\AWPB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\AWPB.001 C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A
File created C:\Windows\SysWOW64\28463\AWPB.006 C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A
File created C:\Windows\SysWOW64\28463\AWPB.007 C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A
File created C:\Windows\SysWOW64\28463\AWPB.exe C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe

"C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe"

C:\Windows\SysWOW64\28463\AWPB.exe

"C:\Windows\system32\28463\AWPB.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@196A.tmp

MD5 5094ea365054fad0ba2635f30d17d463
SHA1 7977dac5f35a65904230fa4393b2334e846045ac
SHA256 b4d3bb2bfc2aa63972c6afc57af1fcec86b732290fc878ffe8a05fb2570ebd44
SHA512 5268446665f04eaa1ba960ab2cb6fb962fd146ec00c9eabada7433d3e5750bbf3e2b3fd749be5aa391913c989efb1a676b6cdda46d6ea2e085ecbac3964275cf

\Windows\SysWOW64\28463\AWPB.exe

MD5 5ef5629026bb439c91a3b9ea4fa8e43e
SHA1 248726c42e1dee804850afcfebac55351372ee83
SHA256 6d9ffbd91d2aae1959e7426ff2031464806df43126f6b460a56f4059f2769177
SHA512 78900cd646a071ef81ec56b6611dca598b859ca25f1267523f3bbe220bed8b7a9b3f8e5929fda34791fdb4252e42e31c398ffbf19a63ffee1d68ca65b3d2ba47

C:\Windows\SysWOW64\28463\AKV.exe

MD5 fd763aa6397099f2b9433e151f3ee240
SHA1 7ce5738891dd6ab99e703a2e9aba7a34e82c5c1a
SHA256 9192b775120d88affe9f86c0b3a8eebdea468e6ed868340f70f1dcd824daa70f
SHA512 92e9d17a2c19f31d7155c9cd7f0786e613050a1cdb3c5db40b53271e835b0ab54af014a443f44d083ebc12678abaa19a342424c14f5ea9dfab14e9d5c5e7fab5

C:\Windows\SysWOW64\28463\AWPB.007

MD5 6681a0740cf6b8babb91527991c691a4
SHA1 a5a3a93d4f9f664997ba02a1fe8b26f3881c174a
SHA256 1efa0be2f1620c92ba910ac6aacbac854c0f89b7bfb3952a7a5bbbb6ba19e0b8
SHA512 427ffd43177bcf5c65ce00968f9f8d81079d038811b51f483df802408f68d6a7233f180315c3e5a0e52638f188ab6e69fdb65653c526a4bfb059cebed2bcde56

C:\Windows\SysWOW64\28463\AWPB.006

MD5 9debeb853ab5e0f5c22c27bba2577550
SHA1 1eebd17676eb4f3a568e0127ed73fd93b8f0afc4
SHA256 1f515119f19140178848795922412b048bf212afd9c38ebd304cf8346a542d63
SHA512 52ac35f8903450da9e6ec61608add625f7bdb3dd7865cc7cf1ad46365ee6c2897cf696a1fdee012a51046358386e1e6efc0ecb116fa34531ea72f08cf3ab1845

C:\Windows\SysWOW64\28463\AWPB.001

MD5 a5e02f74617ae2b0c0144a25fa512c96
SHA1 dcdd47aa7997c84c4c7dafe955ade6be8db63113
SHA256 ac615c01e2fd653fe39ecc9ca2577c144f802a13822c714c13e25a1a548bcec8
SHA512 5616678a35d4c48c7266e263310c22c1830eaac8530c6f1c82d89980230d375dec3921329703fc648938f9bd4f9d91718b502085c6346c3e5d652b5047e6e3bc

memory/2092-24-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-17 01:57

Reported

2024-01-17 02:00

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\AWPB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AWPB Agent = "C:\\Windows\\SysWOW64\\28463\\AWPB.exe" C:\Windows\SysWOW64\28463\AWPB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\AWPB.exe C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A
File created C:\Windows\SysWOW64\28463\AWPB.001 C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A
File created C:\Windows\SysWOW64\28463\AWPB.006 C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A
File created C:\Windows\SysWOW64\28463\AWPB.007 C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe

"C:\Users\Admin\AppData\Local\Temp\617207e22b773248ac162d3c731d92e2.exe"

C:\Windows\SysWOW64\28463\AWPB.exe

"C:\Windows\system32\28463\AWPB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@5573.tmp

MD5 5094ea365054fad0ba2635f30d17d463
SHA1 7977dac5f35a65904230fa4393b2334e846045ac
SHA256 b4d3bb2bfc2aa63972c6afc57af1fcec86b732290fc878ffe8a05fb2570ebd44
SHA512 5268446665f04eaa1ba960ab2cb6fb962fd146ec00c9eabada7433d3e5750bbf3e2b3fd749be5aa391913c989efb1a676b6cdda46d6ea2e085ecbac3964275cf

C:\Windows\SysWOW64\28463\AWPB.exe

MD5 5ef5629026bb439c91a3b9ea4fa8e43e
SHA1 248726c42e1dee804850afcfebac55351372ee83
SHA256 6d9ffbd91d2aae1959e7426ff2031464806df43126f6b460a56f4059f2769177
SHA512 78900cd646a071ef81ec56b6611dca598b859ca25f1267523f3bbe220bed8b7a9b3f8e5929fda34791fdb4252e42e31c398ffbf19a63ffee1d68ca65b3d2ba47

C:\Windows\SysWOW64\28463\AWPB.007

MD5 6681a0740cf6b8babb91527991c691a4
SHA1 a5a3a93d4f9f664997ba02a1fe8b26f3881c174a
SHA256 1efa0be2f1620c92ba910ac6aacbac854c0f89b7bfb3952a7a5bbbb6ba19e0b8
SHA512 427ffd43177bcf5c65ce00968f9f8d81079d038811b51f483df802408f68d6a7233f180315c3e5a0e52638f188ab6e69fdb65653c526a4bfb059cebed2bcde56

C:\Windows\SysWOW64\28463\AKV.exe

MD5 726be7152a2cb3ae0f5062dcd73cd5f9
SHA1 a1826bf9c43996a5476330a01119bdfc8c43e309
SHA256 2b330fc78a9cd575b9b9883d89c1309b7281a51a7465c885bf6ffd9cd6b93315
SHA512 3e1c2d2ae30c84e9854e3067658cc78f96186d9b129c3c0f4f9e177aae27c9dce6a3e06cbdd8773eab8e3ac2938f1b0e57ac8174497d0dbee02168554650b254

C:\Windows\SysWOW64\28463\AWPB.006

MD5 9debeb853ab5e0f5c22c27bba2577550
SHA1 1eebd17676eb4f3a568e0127ed73fd93b8f0afc4
SHA256 1f515119f19140178848795922412b048bf212afd9c38ebd304cf8346a542d63
SHA512 52ac35f8903450da9e6ec61608add625f7bdb3dd7865cc7cf1ad46365ee6c2897cf696a1fdee012a51046358386e1e6efc0ecb116fa34531ea72f08cf3ab1845

C:\Windows\SysWOW64\28463\AWPB.001

MD5 a5e02f74617ae2b0c0144a25fa512c96
SHA1 dcdd47aa7997c84c4c7dafe955ade6be8db63113
SHA256 ac615c01e2fd653fe39ecc9ca2577c144f802a13822c714c13e25a1a548bcec8
SHA512 5616678a35d4c48c7266e263310c22c1830eaac8530c6f1c82d89980230d375dec3921329703fc648938f9bd4f9d91718b502085c6346c3e5d652b5047e6e3bc

memory/3844-23-0x00000000005E0000-0x00000000005E1000-memory.dmp