Malware Analysis Report

2024-10-18 23:04

Sample ID 240117-fgpw7shgd3
Target 61c7407f12837bb4ea4c2de526f7364d
SHA256 4f0d2ffbc946083e38333012faa1132ff7f2479760819a1d5a05bd80777e50fc
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f0d2ffbc946083e38333012faa1132ff7f2479760819a1d5a05bd80777e50fc

Threat Level: Known bad

The file 61c7407f12837bb4ea4c2de526f7364d was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-17 04:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-17 04:50

Reported

2024-01-17 04:53

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AAL Start = "C:\\Windows\\SysWOW64\\GQULCE\\AAL.exe" C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\GQULCE\AAL.004 C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File created C:\Windows\SysWOW64\GQULCE\AAL.001 C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File created C:\Windows\SysWOW64\GQULCE\AAL.002 C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File created C:\Windows\SysWOW64\GQULCE\AKV.exe C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File created C:\Windows\SysWOW64\GQULCE\AAL.exe C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File opened for modification C:\Windows\SysWOW64\GQULCE\ C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe C:\Windows\SysWOW64\GQULCE\AAL.exe
PID 2648 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe C:\Windows\SysWOW64\GQULCE\AAL.exe
PID 2648 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe C:\Windows\SysWOW64\GQULCE\AAL.exe
PID 2648 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe C:\Windows\SysWOW64\GQULCE\AAL.exe
PID 2648 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2648 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2648 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2648 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2300 wrote to memory of 2332 N/A C:\Windows\SysWOW64\GQULCE\AAL.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2332 N/A C:\Windows\SysWOW64\GQULCE\AAL.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2332 N/A C:\Windows\SysWOW64\GQULCE\AAL.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2332 N/A C:\Windows\SysWOW64\GQULCE\AAL.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe

"C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"

C:\Windows\SysWOW64\GQULCE\AAL.exe

"C:\Windows\system32\GQULCE\AAL.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\GQULCE\AAL.exe > nul

Network

N/A

Files

C:\Windows\SysWOW64\GQULCE\AAL.exe

MD5 d28e7a834583efeec920bd1ae59a5b05
SHA1 1f1fa6cc6e88a41fe0c997672430bd11ad8f956a
SHA256 d047e423eca042ce0486cd4708866651ad20ddb35a93587ffe25f27bc103f07f
SHA512 11fd9ed71b6fcf0e62807e8e3de9f3ea95e43d90097e7c955e5ae572abe46d00bba549aa80fc4b393fe42e7ae0bb5f874e38f7f90243b54dc33d4f039eefcced

\Windows\SysWOW64\GQULCE\AAL.exe

MD5 74a17db38dfe5e982b5bfde3c99b525c
SHA1 c9060e15bf7a085f9f7c8ca0f5fd6282fd0bf291
SHA256 36c241cff975907723d245f7c08535a81f651cb220bec49f566dfd9cca190198
SHA512 5c8465d31f73a40237cbcf1573bb15e7f7d6c7487b1b13f91945250086c02ab81f20fc2d1457cfb38ca599b73c4ab490749fe4359cd068fb4eff71b4027c310c

C:\Windows\SysWOW64\GQULCE\AKV.exe

MD5 74e70d1c588f7201a91987b1bc794bfb
SHA1 cd14847c6ef051b5699776a0e14f8ba762dc730c
SHA256 5faa4a771163b2309d5763cf415906de56d17628607904fa35e574a44d7a7431
SHA512 3f80e657f6bc19fdb0606c74318e629582097fdf7e2e3a726567d54b4427e4c45f3cae34f31c9446ae2daf091345465c85754e7e34b82a149d7c4195185dcc38

memory/2300-16-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\GQULCE\AAL.exe

MD5 27e6eb1b55a52338307a416235afd401
SHA1 13287f7b1dacca85fa2e0b6bdbd038c6a750b9db
SHA256 482535180b50b5a08635ce5a5adcb5d6f6d4e6b04144eb88a8440933de9687aa
SHA512 dd9ce7b3f2936745a35c5073a043852f034246fe1e14147151abcb26ca0a6d493e520b1707f08c281c8b5d854fa3fc88cf2a53c7a5a3f2425bdba9b62bc5c847

C:\Windows\SysWOW64\GQULCE\AAL.004

MD5 ad82ac49c5d1eec272fbd616b6609229
SHA1 e99acd004ab0dc00a57b660bdf3b08563c09d980
SHA256 7079d0ddb867f967e7a4fad5cf35f4ec4f4b927805937fce5434b3346a665576
SHA512 423d202f8ea334408cdaf6509efc9c5b82635212d14f29669e6bf9a050094864d75004f1c6a30bc6c4da329da9ff9861555078046bccb98d6a2cab653bb26cbe

\Windows\SysWOW64\GQULCE\AAL.001

MD5 2a38ddfd6bb6c8361ba759224a53f098
SHA1 09b429e031962cf1c5c8cb27ffa26fa13fc1abfd
SHA256 49633f0489cebbcf31a6bcf3ba6897dc4d651e0bb0e32cb779afb0182e5289ec
SHA512 2a4f6eda74e20be439ffaeebeeb06d3fcd768450cb3850f29c1e660108debb43b5ab1d45a5048ade95db0e0254acad5a43563c30eb725c9708b356e9a826c026

C:\Windows\SysWOW64\GQULCE\AAL.001

MD5 a15c556f17d7db8287e023138942d5db
SHA1 880bf8ec944120830dc2e2e040e5996e4e0e6c83
SHA256 f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e
SHA512 930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

C:\Windows\SysWOW64\GQULCE\AAL.002

MD5 daabecdfba287a3333b60ae82211acd7
SHA1 e67b4c7bf0dd71ad47263a58bb60be4bce504b84
SHA256 12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173
SHA512 937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt

MD5 f18bcc7084002b55c9c34a8214b5a055
SHA1 9d95f2fd61d24840a31dfce2d9a872cf04fc9f7c
SHA256 787ae0a8898f2faeafdd0cf90f3b6ae3badf87c10335e36431a21c1f59ff6027
SHA512 ff13fbcb2a720c5ff5e776794a657068762baab108342f8c91d8c8c0c893a86027c5d37a1e3940dcac8f167621581914dd4ec8c7be17592e518afe0ec88dbbc8

memory/2300-21-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-17 04:50

Reported

2024-01-17 04:53

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AAL Start = "C:\\Windows\\SysWOW64\\GQULCE\\AAL.exe" C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\GQULCE\AAL.exe C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File opened for modification C:\Windows\SysWOW64\GQULCE\ C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
File created C:\Windows\SysWOW64\GQULCE\AAL.004 C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File created C:\Windows\SysWOW64\GQULCE\AAL.001 C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File created C:\Windows\SysWOW64\GQULCE\AAL.002 C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A
File created C:\Windows\SysWOW64\GQULCE\AKV.exe C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A
N/A N/A C:\Windows\SysWOW64\GQULCE\AAL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe

"C:\Users\Admin\AppData\Local\Temp\61c7407f12837bb4ea4c2de526f7364d.exe"

C:\Windows\SysWOW64\GQULCE\AAL.exe

"C:\Windows\system32\GQULCE\AAL.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\GQULCE\AAL.exe > nul

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\GQULCE\AAL.exe

MD5 f3819a6cab8ae058254c4abb3844d87e
SHA1 0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b
SHA256 3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9
SHA512 dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

C:\Windows\SysWOW64\GQULCE\AAL.001

MD5 a15c556f17d7db8287e023138942d5db
SHA1 880bf8ec944120830dc2e2e040e5996e4e0e6c83
SHA256 f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e
SHA512 930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

C:\Windows\SysWOW64\GQULCE\AKV.exe

MD5 48cfaed4d566c34716326302b49bdad2
SHA1 566e0989b6bc7ed205f9ae250ea98e3a4d7fba52
SHA256 54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea
SHA512 96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

C:\Windows\SysWOW64\GQULCE\AAL.004

MD5 ad82ac49c5d1eec272fbd616b6609229
SHA1 e99acd004ab0dc00a57b660bdf3b08563c09d980
SHA256 7079d0ddb867f967e7a4fad5cf35f4ec4f4b927805937fce5434b3346a665576
SHA512 423d202f8ea334408cdaf6509efc9c5b82635212d14f29669e6bf9a050094864d75004f1c6a30bc6c4da329da9ff9861555078046bccb98d6a2cab653bb26cbe

C:\Windows\SysWOW64\GQULCE\AAL.002

MD5 daabecdfba287a3333b60ae82211acd7
SHA1 e67b4c7bf0dd71ad47263a58bb60be4bce504b84
SHA256 12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173
SHA512 937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

memory/1172-17-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Novo Documento de Texto.txt

MD5 f18bcc7084002b55c9c34a8214b5a055
SHA1 9d95f2fd61d24840a31dfce2d9a872cf04fc9f7c
SHA256 787ae0a8898f2faeafdd0cf90f3b6ae3badf87c10335e36431a21c1f59ff6027
SHA512 ff13fbcb2a720c5ff5e776794a657068762baab108342f8c91d8c8c0c893a86027c5d37a1e3940dcac8f167621581914dd4ec8c7be17592e518afe0ec88dbbc8

memory/1172-22-0x0000000000650000-0x0000000000651000-memory.dmp