Malware Analysis Report

2024-10-18 23:04

Sample ID 240118-yebkxagge5
Target 65df3c385d174f9e211757b25925be30
SHA256 14a3df7dce7912f61f40a0b29ee4f82d2a9c369cd9f294916ad317a7a3c4b77b
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14a3df7dce7912f61f40a0b29ee4f82d2a9c369cd9f294916ad317a7a3c4b77b

Threat Level: Known bad

The file 65df3c385d174f9e211757b25925be30 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-18 19:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-18 19:41

Reported

2024-01-18 19:45

Platform

win7-20231215-en

Max time kernel

190s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\telock.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EXNL Agent = "C:\\Windows\\SysWOW64\\Sys32\\EXNL.exe" C:\Windows\SysWOW64\Sys32\EXNL.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Sys32\EXNL.009 C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
File opened for modification C:\Windows\SysWOW64\Sys32\EXNL.009 C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
File created C:\Windows\SysWOW64\Sys32\EXNL.001 C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File created C:\Windows\SysWOW64\Sys32\EXNL.006 C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File created C:\Windows\SysWOW64\Sys32\EXNL.007 C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File created C:\Windows\SysWOW64\Sys32\EXNL.exe C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File created C:\Windows\SysWOW64\Sys32\AKV.exe C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File opened for modification C:\Windows\SysWOW64\Sys32 C:\Windows\SysWOW64\Sys32\EXNL.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe

"C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe"

C:\Windows\SysWOW64\Sys32\EXNL.exe

"C:\Windows\system32\Sys32\EXNL.exe"

C:\Users\Admin\AppData\Local\Temp\telock.exe

"C:\Users\Admin\AppData\Local\Temp\telock.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@7520.tmp

MD5 14c3321783fac66161b308d34c5b0eac
SHA1 021b4f77e27d6e0b032158936a752e27cdde09fa
SHA256 09e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21
SHA512 9ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad

\Windows\SysWOW64\Sys32\EXNL.exe

MD5 9c3ff825312190802dc56c7b0d0ccebd
SHA1 58e200c00382b3d13c81c9e829da065ed45f5928
SHA256 e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4
SHA512 513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968

C:\Windows\SysWOW64\Sys32\AKV.exe

MD5 53a578b112aeb18c5993556d4440ade1
SHA1 e51f2fcc784def3cc5ff594edfee5e25f1e9818c
SHA256 9170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156
SHA512 31357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352

C:\Windows\SysWOW64\Sys32\EXNL.007

MD5 22e9e9b13c2c676bec39178311d55253
SHA1 da60379e518feeb798005065dcf626a74afe1848
SHA256 3a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14
SHA512 1d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc

C:\Windows\SysWOW64\Sys32\EXNL.006

MD5 504f5a7e8447c65bc2218bb3d47c309b
SHA1 5d2d703cfa8b1c0fab1b13b01e2250e246e2eb44
SHA256 81f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f
SHA512 b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b

C:\Windows\SysWOW64\Sys32\EXNL.001

MD5 3070f8614d6f90cf41af99751b29bd12
SHA1 41b71ee0b6f14a299853901c6108eabe6a02736f
SHA256 bd316b9c54220d6af7ebc0a42c1aea09115a369b9f841e9e83ccfe8256aa3f41
SHA512 379dc61aca4bad7aeb4c478a1c50f9c87aa3cd9915138235e23337614e40bac1f0d1754d4c05a48ea1388a89d341daa483a14ff435cbf64e42e05b7af1feba02

memory/2568-23-0x0000000000250000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Local\Temp\telock.exe

MD5 c4c3f834ab76c1cbc4cd318fab2373e3
SHA1 8cc449dfafc02317fc06a460c20ae48b8350d114
SHA256 5203aa4b6ad2d63fc8c7f6a05fb72b6ac75985ee8077820b47faa5a1b97c13c1
SHA512 ebefdeda797c67949f267fc6a158067a019689e14615329459ecee2ffc2914757850d409ceb1bdcf6a40dd6f92daa14d0f44c7bafeb902453aa9a96c7cd652bb

memory/1712-38-0x0000000077D0F000-0x0000000077D10000-memory.dmp

memory/1712-39-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2568-40-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-18 19:41

Reported

2024-01-18 19:44

Platform

win10v2004-20231222-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\telock.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EXNL Agent = "C:\\Windows\\SysWOW64\\Sys32\\EXNL.exe" C:\Windows\SysWOW64\Sys32\EXNL.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Sys32\EXNL.006 C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File created C:\Windows\SysWOW64\Sys32\EXNL.007 C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File created C:\Windows\SysWOW64\Sys32\EXNL.exe C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File created C:\Windows\SysWOW64\Sys32\AKV.exe C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A
File opened for modification C:\Windows\SysWOW64\Sys32 C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
File created C:\Windows\SysWOW64\Sys32\EXNL.009 C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
File opened for modification C:\Windows\SysWOW64\Sys32\EXNL.009 C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
File created C:\Windows\SysWOW64\Sys32\EXNL.001 C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A
N/A N/A C:\Windows\SysWOW64\Sys32\EXNL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe

"C:\Users\Admin\AppData\Local\Temp\65df3c385d174f9e211757b25925be30.exe"

C:\Windows\SysWOW64\Sys32\EXNL.exe

"C:\Windows\system32\Sys32\EXNL.exe"

C:\Users\Admin\AppData\Local\Temp\telock.exe

"C:\Users\Admin\AppData\Local\Temp\telock.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@4769.tmp

MD5 14c3321783fac66161b308d34c5b0eac
SHA1 021b4f77e27d6e0b032158936a752e27cdde09fa
SHA256 09e6cfa1698ed3cd3592fa4ed36eb970fa599cb86ce6975f5ef90dfbaf6a2f21
SHA512 9ba6f2992164e7e98084e3c3b5a4cd231edeca22b784d01e5e98078ed19a1114ba9f837aa77ec3303bfcff6fa6a7a3b4588ee6e3a444eb35fc5e8c1d732825ad

C:\Windows\SysWOW64\Sys32\EXNL.exe

MD5 9c3ff825312190802dc56c7b0d0ccebd
SHA1 58e200c00382b3d13c81c9e829da065ed45f5928
SHA256 e55fbc08da9dc8bfb13b1d649e117540ee2c416a678eafa40e49088c2864dcc4
SHA512 513f6e3ab1bc31d01c1730c04313a39df5f9a5e30db70699df0507fff4c82f36706a637d32f532985e551a5a835682ebdc077560fee2f9741cba7767a86b7968

C:\Users\Admin\AppData\Local\Temp\telock.exe

MD5 c4c3f834ab76c1cbc4cd318fab2373e3
SHA1 8cc449dfafc02317fc06a460c20ae48b8350d114
SHA256 5203aa4b6ad2d63fc8c7f6a05fb72b6ac75985ee8077820b47faa5a1b97c13c1
SHA512 ebefdeda797c67949f267fc6a158067a019689e14615329459ecee2ffc2914757850d409ceb1bdcf6a40dd6f92daa14d0f44c7bafeb902453aa9a96c7cd652bb

C:\Windows\SysWOW64\Sys32\EXNL.001

MD5 3070f8614d6f90cf41af99751b29bd12
SHA1 41b71ee0b6f14a299853901c6108eabe6a02736f
SHA256 bd316b9c54220d6af7ebc0a42c1aea09115a369b9f841e9e83ccfe8256aa3f41
SHA512 379dc61aca4bad7aeb4c478a1c50f9c87aa3cd9915138235e23337614e40bac1f0d1754d4c05a48ea1388a89d341daa483a14ff435cbf64e42e05b7af1feba02

C:\Windows\SysWOW64\Sys32\EXNL.007

MD5 22e9e9b13c2c676bec39178311d55253
SHA1 da60379e518feeb798005065dcf626a74afe1848
SHA256 3a77698cfcbbc40473f163c76838e6509c52bd6ffb97ba9d144ccd25ef5c7e14
SHA512 1d3b7eb4dcaa969a49786f1f55caa731e2e82dc79896985d50aa225fd7071bef521a6d85f56ee249db518cf0fc4a53f942299328bf54862307f742d3a6ca3dcc

C:\Windows\SysWOW64\Sys32\EXNL.006

MD5 504f5a7e8447c65bc2218bb3d47c309b
SHA1 5d2d703cfa8b1c0fab1b13b01e2250e246e2eb44
SHA256 81f383d6a9a90d1587af3f2903d9fd4ce4b4843aa285928ba731a3ee8f60c39f
SHA512 b90427bc146e30a5db47aaea4d7ac559db679f64ce490eb2195106acbc3d266442d71a7c0b00762203010436ed86bc84ef59bc3269b7611f9a6b5025fc85190b

C:\Windows\SysWOW64\Sys32\AKV.exe

MD5 53a578b112aeb18c5993556d4440ade1
SHA1 e51f2fcc784def3cc5ff594edfee5e25f1e9818c
SHA256 9170ccd49c118818a83d6ec5264e58519a986671828a144b70d9f601afd29156
SHA512 31357e35a4d31483951a7fbd0d774dffd880c8451e2410226dcfb8f8b1c24422febba81ae91aa2e5bb482bc0e662060f772417239e7e7a11c3c36ff8d716f352

memory/1876-34-0x0000000000400000-0x000000000042F000-memory.dmp

memory/448-35-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1876-42-0x0000000000400000-0x000000000042F000-memory.dmp

memory/448-44-0x0000000000600000-0x0000000000601000-memory.dmp