Malware Analysis Report

2024-10-18 23:04

Sample ID 240119-nlmlmsdeg6
Target 67828d5328ffd67101fef37f4d87a438
SHA256 e55d71db4bff8fc80937747b48a0458bb3658b20be8b2a714a29d131bc5e3b4f
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e55d71db4bff8fc80937747b48a0458bb3658b20be8b2a714a29d131bc5e3b4f

Threat Level: Known bad

The file 67828d5328ffd67101fef37f4d87a438 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Checks installed software on the system

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-19 11:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 11:29

Reported

2024-01-19 11:31

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QST Start = "C:\\Windows\\JEVKYI\\QST.exe" C:\Windows\JEVKYI\QST.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\JEVKYI\AKV.exe C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\QST.003 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\QST.exe C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File opened for modification C:\Windows\JEVKYI\ C:\Windows\JEVKYI\QST.exe N/A
File created C:\Windows\JEVKYI\QST.004 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\QST.001 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\QST.002 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\JEVKYI\QST.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\JEVKYI\QST.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe

"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe"

C:\Windows\JEVKYI\QST.exe

"C:\Windows\JEVKYI\QST.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\White-hatV.10Wallhack.rar"

Network

N/A

Files

\Windows\JEVKYI\QST.exe

MD5 f8530f0dfe90c7c1e20239b0a7643041
SHA1 3e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256 734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA512 5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

C:\Windows\JEVKYI\AKV.exe

MD5 eb916da4abe4ff314662089013c8f832
SHA1 1e7e611cc6922a2851bcf135806ab51cdb499efa
SHA256 96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061
SHA512 d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

C:\Windows\JEVKYI\QST.004

MD5 8ebb21a9b2a6004661b2842a01fc1dbe
SHA1 1b422d7715ce3819d35bcda5f9c7cd62059c8a00
SHA256 7bcf2bef8434be143c6ee76039f14f4e30be73843fda6b40a549552974bfb639
SHA512 7589d6bdddcd24d03ebc3dba01e759b51ac9e9bb93d22d87152b3950a7650f2b6d83631e79f7b8f417b5ee4574dd558e93d83ac26be994430a1e2447b5beb1cb

memory/2404-18-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\JEVKYI\QST.003

MD5 f47e8f65618e1b1f7e1720713f5a8c4c
SHA1 abad8e9e13b1e41f2af86e3c16526c6f2d05d952
SHA256 f170be2582c82ea131e1f688eea6e1cd17d14e6a9bb805b6aed2791e625a74d8
SHA512 635d617dbd15d00e2f7470857531b9820439a8816f2c74b3d83156599537ff42e26ea7d769863f2768eb2770ba9c47b1a10eb3e2677fe92b9eda6ae51da18dcb

C:\Windows\JEVKYI\QST.002

MD5 12fb4f589942682a478b7c7881dfcba2
SHA1 a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA256 4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512 dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

C:\Windows\JEVKYI\QST.001

MD5 425ff37c76030ca0eb60321eedd4afdd
SHA1 7dde5e9ce5c4057d3db149f323fa43ed29d90e09
SHA256 70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24
SHA512 ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

C:\Users\Admin\AppData\Local\Temp\White-hatV.10Wallhack.rar

MD5 268ef2330ab151d5fb3c2eb04e104a28
SHA1 9f162ef41454ae8906502aac2977b9284c0085b5
SHA256 4cbf6bcad6af03882117708d1ef1ba223ba3e561695aeae31de7d9691e28f1ba
SHA512 94dceb1ba51df699e9c89d701d6c1ac8aedf4c714dee6b23d29b3e976d75b067b9dc1e18d071a2f0b7760e99c089002c1578571e588b52b1d1663c5683c04cad

memory/2404-22-0x0000000000230000-0x0000000000231000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 11:29

Reported

2024-01-19 11:32

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QST Start = "C:\\Windows\\JEVKYI\\QST.exe" C:\Windows\JEVKYI\QST.exe N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\JEVKYI\ C:\Windows\JEVKYI\QST.exe N/A
File created C:\Windows\JEVKYI\QST.004 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\QST.001 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\QST.002 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\AKV.exe C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\QST.003 C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A
File created C:\Windows\JEVKYI\QST.exe C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 33 N/A C:\Windows\JEVKYI\QST.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\JEVKYI\QST.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A
N/A N/A C:\Windows\JEVKYI\QST.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe

"C:\Users\Admin\AppData\Local\Temp\67828d5328ffd67101fef37f4d87a438.exe"

C:\Windows\JEVKYI\QST.exe

"C:\Windows\JEVKYI\QST.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\White-hatV.10Wallhack.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Windows\JEVKYI\QST.exe

MD5 f8530f0dfe90c7c1e20239b0a7643041
SHA1 3e0208ab84b8444a69c8d62ad0b81c4186395802
SHA256 734439c4049ae1a832b4cc5c8d227112106406945d1a7cbb355e11a3f5e356c4
SHA512 5cb01517938789e006e00d69729ae7d73ad480f1ae17a80059bf81ee5d9cebb1263a35732c84f03d742684a650b116b13e6731ca80b0b9cdb3908e5588649399

C:\Users\Admin\AppData\Local\Temp\White-hatV.10Wallhack.rar

MD5 268ef2330ab151d5fb3c2eb04e104a28
SHA1 9f162ef41454ae8906502aac2977b9284c0085b5
SHA256 4cbf6bcad6af03882117708d1ef1ba223ba3e561695aeae31de7d9691e28f1ba
SHA512 94dceb1ba51df699e9c89d701d6c1ac8aedf4c714dee6b23d29b3e976d75b067b9dc1e18d071a2f0b7760e99c089002c1578571e588b52b1d1663c5683c04cad

C:\Windows\JEVKYI\QST.003

MD5 f47e8f65618e1b1f7e1720713f5a8c4c
SHA1 abad8e9e13b1e41f2af86e3c16526c6f2d05d952
SHA256 f170be2582c82ea131e1f688eea6e1cd17d14e6a9bb805b6aed2791e625a74d8
SHA512 635d617dbd15d00e2f7470857531b9820439a8816f2c74b3d83156599537ff42e26ea7d769863f2768eb2770ba9c47b1a10eb3e2677fe92b9eda6ae51da18dcb

C:\Windows\JEVKYI\QST.004

MD5 8ebb21a9b2a6004661b2842a01fc1dbe
SHA1 1b422d7715ce3819d35bcda5f9c7cd62059c8a00
SHA256 7bcf2bef8434be143c6ee76039f14f4e30be73843fda6b40a549552974bfb639
SHA512 7589d6bdddcd24d03ebc3dba01e759b51ac9e9bb93d22d87152b3950a7650f2b6d83631e79f7b8f417b5ee4574dd558e93d83ac26be994430a1e2447b5beb1cb

C:\Windows\JEVKYI\QST.002

MD5 12fb4f589942682a478b7c7881dfcba2
SHA1 a3d490c6cda965708a1ff6a0dc4e88037e0d6336
SHA256 4de0c277800ae36b85a11ed9765f732a73578d4dce053ff7179f96ab776fb60d
SHA512 dd1c6a4ea5bc9698701ec941c4e90fe8dfb0993dc321edc052d1a80cc49bc46be665a85ec678876e698de60cda5dbf1d6279742a16d648f9d18e642a3ea33ddd

C:\Windows\JEVKYI\AKV.exe

MD5 eb916da4abe4ff314662089013c8f832
SHA1 1e7e611cc6922a2851bcf135806ab51cdb499efa
SHA256 96af80e7ba0f3997d59ebcb5ecef619f980d71ca29113e2cd2f2e8adcdea3061
SHA512 d0dbe1d1612982b9cd2a3ed3cbd3e3b5be49237f580f91d5e5d5b6d20ed4dc0babb69a666c19bf4e0f10776a43b9b1dcda91a4cd381ce3705b1795ef9d731c8b

C:\Windows\JEVKYI\QST.001

MD5 425ff37c76030ca0eb60321eedd4afdd
SHA1 7dde5e9ce5c4057d3db149f323fa43ed29d90e09
SHA256 70b00b09ae76a7ecfd6680ab22df546b17826755087c069fc87d14895e1a4e24
SHA512 ef5ff97c0d682b6155eff8f92dace1789cf01ca8bca55af1c1d0f2243b5e18bc12a657bb2bb12601b51ef9e1b942f02feb8462644da291fd1b2239c34ef2b59b

memory/1436-21-0x0000000000670000-0x0000000000671000-memory.dmp

memory/1436-23-0x0000000000670000-0x0000000000671000-memory.dmp