Malware Analysis Report

2024-10-18 23:04

Sample ID 240120-kk8kyafdb3
Target 69fad7d6792450fb7bf97b72852b0b0f
SHA256 25527da024d34cc3015815ddd8e0963705ba67a01ade3d18d0291520efa6b2f8
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25527da024d34cc3015815ddd8e0963705ba67a01ade3d18d0291520efa6b2f8

Threat Level: Known bad

The file 69fad7d6792450fb7bf97b72852b0b0f was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 08:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 08:40

Reported

2024-01-20 08:43

Platform

win7-20231215-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WUBF Agent = "C:\\Windows\\SysWOW64\\28463\\WUBF.exe" C:\Windows\SysWOW64\28463\WUBF.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\WUBF.exe N/A
File created C:\Windows\SysWOW64\28463\WUBF.001 C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
File created C:\Windows\SysWOW64\28463\WUBF.006 C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
File created C:\Windows\SysWOW64\28463\WUBF.007 C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
File created C:\Windows\SysWOW64\28463\WUBF.exe C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe

"C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe"

C:\Windows\SysWOW64\28463\WUBF.exe

"C:\Windows\system32\28463\WUBF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\WUBF.exe > nul

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@8891.tmp

MD5 908f7f4b0cf93759447afca95cd84aa6
SHA1 d1903a49b211bcb4a460904019ee7441420aa961
SHA256 3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23
SHA512 958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

\Windows\SysWOW64\28463\WUBF.exe

MD5 d7bd4739313a8e2fc9e080b7d0ba13b2
SHA1 808fcbe663bc02780b1d9962873a1e3066d55f05
SHA256 c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b
SHA512 d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

C:\Windows\SysWOW64\28463\AKV.exe

MD5 54fe8eaa9ee0817099f087873a03e13b
SHA1 a5720f21bca8a8703e6d89209926284de320b432
SHA256 91c746c2d25af7323199f5e51e0bc9f6da15ba437e74962260590cafca2aa5e1
SHA512 c9fc6d6b96a34b4e1e4635b72373ce1e521f344d7a8ae7ec0d2856bd46ed09baf24af6a56077220dfef1601000b9114d070f0296f5dea437a00e293dd582a6ef

C:\Windows\SysWOW64\28463\WUBF.001

MD5 50286c5ca86842ac5690b6fe4ed2ea2a
SHA1 13474fef03d3ef030b3f2c2c78f21557f7604f96
SHA256 623518707b4f389a146cf8ac05514da251c0a4cb923f94d5533ff720e411df71
SHA512 cbd06f6f8b6be028ca44b8699108bca5f9d95642511cadc7bfcc5f8e7b0b707bde707513a59e16fc1e44c66927f5e4e4822a2bd3cdbe80c92a074ab241ed400c

C:\Windows\SysWOW64\28463\WUBF.exe

MD5 d6c68396fb7266ba1dcae09edf7217d4
SHA1 eba3435bedb9f69cba79557c23c156f7229ea54b
SHA256 8a5d13277573c89e19283a99aceffc7e0ab2cbc01bb7ee6970b08ba455ca437c
SHA512 4fe4429b7740b0f796194bdce1593245c60c4ca4acacf68c4f17ee39db007941b3048c3ddc97822bfab4e41f11605e9ab43875d8f2fc32881a3d68a820bb4e59

C:\Windows\SysWOW64\28463\WUBF.007

MD5 ca72cd485d116033f1b776903ce7ee0a
SHA1 85b0b73a75b0498f56200dd1a5cf0de5371e42a3
SHA256 e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4
SHA512 8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

C:\Windows\SysWOW64\28463\WUBF.006

MD5 e0fcfa7cad88d1a8a462cee6b06cf668
SHA1 a7e49078517abc929a6da261df06556c8f5a8cf0
SHA256 340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4
SHA512 430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

memory/2876-24-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2876-27-0x0000000000250000-0x0000000000251000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 08:40

Reported

2024-01-20 08:43

Platform

win10v2004-20231215-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\28463\WUBF.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WUBF Agent = "C:\\Windows\\SysWOW64\\28463\\WUBF.exe" C:\Windows\SysWOW64\28463\WUBF.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\WUBF.exe C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\WUBF.exe N/A
File created C:\Windows\SysWOW64\28463\WUBF.001 C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
File created C:\Windows\SysWOW64\28463\WUBF.006 C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A
File created C:\Windows\SysWOW64\28463\WUBF.007 C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\28463\WUBF.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WUBF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe

"C:\Users\Admin\AppData\Local\Temp\69fad7d6792450fb7bf97b72852b0b0f.exe"

C:\Windows\SysWOW64\28463\WUBF.exe

"C:\Windows\system32\28463\WUBF.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 1116

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\WUBF.exe > nul

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@C89F.tmp

MD5 908f7f4b0cf93759447afca95cd84aa6
SHA1 d1903a49b211bcb4a460904019ee7441420aa961
SHA256 3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23
SHA512 958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

C:\Windows\SysWOW64\28463\WUBF.exe

MD5 d7bd4739313a8e2fc9e080b7d0ba13b2
SHA1 808fcbe663bc02780b1d9962873a1e3066d55f05
SHA256 c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b
SHA512 d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

C:\Windows\SysWOW64\28463\AKV.exe

MD5 b0b09699ea39c0107af1c0833f07c054
SHA1 b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1
SHA256 be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1
SHA512 55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

C:\Windows\SysWOW64\28463\WUBF.007

MD5 ca72cd485d116033f1b776903ce7ee0a
SHA1 85b0b73a75b0498f56200dd1a5cf0de5371e42a3
SHA256 e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4
SHA512 8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

C:\Windows\SysWOW64\28463\WUBF.006

MD5 e0fcfa7cad88d1a8a462cee6b06cf668
SHA1 a7e49078517abc929a6da261df06556c8f5a8cf0
SHA256 340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4
SHA512 430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

C:\Windows\SysWOW64\28463\WUBF.001

MD5 50286c5ca86842ac5690b6fe4ed2ea2a
SHA1 13474fef03d3ef030b3f2c2c78f21557f7604f96
SHA256 623518707b4f389a146cf8ac05514da251c0a4cb923f94d5533ff720e411df71
SHA512 cbd06f6f8b6be028ca44b8699108bca5f9d95642511cadc7bfcc5f8e7b0b707bde707513a59e16fc1e44c66927f5e4e4822a2bd3cdbe80c92a074ab241ed400c

memory/5044-23-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/5044-27-0x0000000000C00000-0x0000000000C01000-memory.dmp