Malware Analysis Report

2024-10-18 23:04

Sample ID 240119-p1n9fsehd4
Target 67a8d8448eb6c623a85a1955b3458757
SHA256 07641c7d357377a5d16a0ef703908297c4d0dd7963fa0b7616f59f7689b47d1b
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07641c7d357377a5d16a0ef703908297c4d0dd7963fa0b7616f59f7689b47d1b

Threat Level: Known bad

The file 67a8d8448eb6c623a85a1955b3458757 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-19 12:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 12:47

Reported

2024-01-19 12:50

Platform

win7-20231215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CRO Start = "C:\\Windows\\SysWOW64\\RPANNB\\CRO.exe" C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\RPANNB\CRO.004 C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File created C:\Windows\SysWOW64\RPANNB\CRO.001 C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File created C:\Windows\SysWOW64\RPANNB\CRO.002 C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File created C:\Windows\SysWOW64\RPANNB\AKV.exe C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File created C:\Windows\SysWOW64\RPANNB\CRO.exe C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File opened for modification C:\Windows\SysWOW64\RPANNB\ C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe

"C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe"

C:\Windows\SysWOW64\RPANNB\CRO.exe

"C:\Windows\system32\RPANNB\CRO.exe"

Network

N/A

Files

C:\Windows\SysWOW64\RPANNB\CRO.exe

MD5 d95623e481661c678a0546e02f10f24c
SHA1 b6949e68a19b270873764585eb1e82448d1e0717
SHA256 cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da
SHA512 dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

\Windows\SysWOW64\RPANNB\CRO.001

MD5 f354f72924cdfe4c8afcc85005803b21
SHA1 817bf228f2f6fdb45bc54abb30efe96729bd65c8
SHA256 d1edf8e95bc50e5fc944b07c19d643a9a3dc17e6744c718257baf8b79789e540
SHA512 57e837cc6901558fe114f5cf06590dde935daf4bd16eb9bbce76967944e079b615a8da827d46ff27d0b841a1bf9701a86618090cb5b6dd5e1bac1630cdad0233

memory/2872-15-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\SysWOW64\RPANNB\CRO.004

MD5 6e618523d4750a4f7f4c1c5fd5d7ec71
SHA1 a3f6e10b4215fe7990dc7286903437c088cd1f80
SHA256 297249fdf2f32fee9df93c33e8285b2165dc3989d869207662becec986b5699f
SHA512 5398716e8f0184cdfa7eadfc00c16446745266ff1229664d29239074fd36fc71dd1b2e9fe956cfc19a0bde370c1fb122ff80eec5337dfeaf5faf3da2bbb821b5

C:\Windows\SysWOW64\RPANNB\CRO.002

MD5 f195701cf2c54d6ceadad943cf5135b8
SHA1 9beb03fc097fc58d7375b0511b87ced98a423a08
SHA256 177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec
SHA512 f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

C:\Windows\SysWOW64\RPANNB\AKV.exe

MD5 b905540561802896d1609a5709c38795
SHA1 a265f7c1d428ccece168d36ae1a5f50abfb69e37
SHA256 ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53
SHA512 7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 12:47

Reported

2024-01-19 12:50

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CRO Start = "C:\\Windows\\SysWOW64\\RPANNB\\CRO.exe" C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\RPANNB\CRO.004 C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File created C:\Windows\SysWOW64\RPANNB\CRO.001 C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File created C:\Windows\SysWOW64\RPANNB\CRO.002 C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File created C:\Windows\SysWOW64\RPANNB\AKV.exe C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File created C:\Windows\SysWOW64\RPANNB\CRO.exe C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe N/A
File opened for modification C:\Windows\SysWOW64\RPANNB\ C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A
N/A N/A C:\Windows\SysWOW64\RPANNB\CRO.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe

"C:\Users\Admin\AppData\Local\Temp\67a8d8448eb6c623a85a1955b3458757.exe"

C:\Windows\SysWOW64\RPANNB\CRO.exe

"C:\Windows\system32\RPANNB\CRO.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\RPANNB\CRO.exe

MD5 d95623e481661c678a0546e02f10f24c
SHA1 b6949e68a19b270873764585eb1e82448d1e0717
SHA256 cecfadce6fb09b3977c20d15fb40f8f66a1d7e488a4794451d048a598c3417da
SHA512 dee02644d92ed30e88bb10e9dcdba97abd9949b230059ec20cf5d93061f9cdb77b1e793e5f69d0b51595c30077c3ddd093348d22b070ce898ccefe28b8062591

C:\Windows\SysWOW64\RPANNB\CRO.004

MD5 6e618523d4750a4f7f4c1c5fd5d7ec71
SHA1 a3f6e10b4215fe7990dc7286903437c088cd1f80
SHA256 297249fdf2f32fee9df93c33e8285b2165dc3989d869207662becec986b5699f
SHA512 5398716e8f0184cdfa7eadfc00c16446745266ff1229664d29239074fd36fc71dd1b2e9fe956cfc19a0bde370c1fb122ff80eec5337dfeaf5faf3da2bbb821b5

C:\Windows\SysWOW64\RPANNB\CRO.001

MD5 f354f72924cdfe4c8afcc85005803b21
SHA1 817bf228f2f6fdb45bc54abb30efe96729bd65c8
SHA256 d1edf8e95bc50e5fc944b07c19d643a9a3dc17e6744c718257baf8b79789e540
SHA512 57e837cc6901558fe114f5cf06590dde935daf4bd16eb9bbce76967944e079b615a8da827d46ff27d0b841a1bf9701a86618090cb5b6dd5e1bac1630cdad0233

C:\Windows\SysWOW64\RPANNB\AKV.exe

MD5 b905540561802896d1609a5709c38795
SHA1 a265f7c1d428ccece168d36ae1a5f50abfb69e37
SHA256 ce666ce776c30251bb1b465d47826c23efaa86ec5ee50b2a4d23a4ceb343ed53
SHA512 7663654f134f47a8092bae1f3f9d46732d2541ab955e7604d43a0def1e61e2bc039a6753e94d99f1d04b69f55a86f1fb937513671019f1bdf100edb97b24badc

C:\Windows\SysWOW64\RPANNB\CRO.002

MD5 f195701cf2c54d6ceadad943cf5135b8
SHA1 9beb03fc097fc58d7375b0511b87ced98a423a08
SHA256 177c1dcc7f13158445f0b99713e9cad205da86e764940a48d43dc375565b0dec
SHA512 f78def1ab431bb2b7b647ec76c063c30a87cabd22605f94cbe4fbb6f757fd54ddf7861d3842a0e369abfce94b68d41dec0fe2322a74f67d9875f561f92b20025

memory/232-16-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/232-18-0x00000000005D0000-0x00000000005D1000-memory.dmp