Malware Analysis Report

2024-10-18 23:04

Sample ID 240121-z1962aacem
Target 6e088e7a3dc0f6811e96db94362db2c8
SHA256 f6e495de196a7084dea401ecb9fc3e9a1e29a81ad3df0323806a923a64059c10
Tags
ardamax discovery evasion keylogger persistence stealer themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6e495de196a7084dea401ecb9fc3e9a1e29a81ad3df0323806a923a64059c10

Threat Level: Known bad

The file 6e088e7a3dc0f6811e96db94362db2c8 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery evasion keylogger persistence stealer themida

Ardamax main executable

Ardamax

Identifies Wine through registry keys

Themida packer

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 21:12

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 21:12

Reported

2024-01-21 21:14

Platform

win7-20231129-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\INSTALL.EXE N/A
N/A N/A C:\Windows\SysWOW64\28463\WGQS.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WGQS Agent = "C:\\Windows\\SysWOW64\\28463\\WGQS.exe" C:\Windows\SysWOW64\28463\WGQS.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\WGQS.001 C:\Windows\INSTALL.EXE N/A
File created C:\Windows\SysWOW64\28463\WGQS.006 C:\Windows\INSTALL.EXE N/A
File created C:\Windows\SysWOW64\28463\WGQS.007 C:\Windows\INSTALL.EXE N/A
File created C:\Windows\SysWOW64\28463\WGQS.exe C:\Windows\INSTALL.EXE N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Windows\INSTALL.EXE N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\WGQS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INSTALL.EXE C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\WGQS.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\WGQS.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\WGQS.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WGQS.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WGQS.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WGQS.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\WGQS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe C:\Windows\INSTALL.EXE
PID 2316 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe C:\Windows\INSTALL.EXE
PID 2316 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe C:\Windows\INSTALL.EXE
PID 2316 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe C:\Windows\INSTALL.EXE
PID 2316 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe C:\Windows\INSTALL.EXE
PID 2316 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe C:\Windows\INSTALL.EXE
PID 2316 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe C:\Windows\INSTALL.EXE
PID 3028 wrote to memory of 2564 N/A C:\Windows\INSTALL.EXE C:\Windows\SysWOW64\28463\WGQS.exe
PID 3028 wrote to memory of 2564 N/A C:\Windows\INSTALL.EXE C:\Windows\SysWOW64\28463\WGQS.exe
PID 3028 wrote to memory of 2564 N/A C:\Windows\INSTALL.EXE C:\Windows\SysWOW64\28463\WGQS.exe
PID 3028 wrote to memory of 2564 N/A C:\Windows\INSTALL.EXE C:\Windows\SysWOW64\28463\WGQS.exe
PID 3028 wrote to memory of 2564 N/A C:\Windows\INSTALL.EXE C:\Windows\SysWOW64\28463\WGQS.exe
PID 3028 wrote to memory of 2564 N/A C:\Windows\INSTALL.EXE C:\Windows\SysWOW64\28463\WGQS.exe
PID 3028 wrote to memory of 2564 N/A C:\Windows\INSTALL.EXE C:\Windows\SysWOW64\28463\WGQS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe

"C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe"

C:\Windows\INSTALL.EXE

"C:\Windows\INSTALL.EXE"

C:\Windows\SysWOW64\28463\WGQS.exe

"C:\Windows\system32\28463\WGQS.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

N/A

Files

memory/2316-0-0x0000000000400000-0x00000000005B7000-memory.dmp

memory/2316-2-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2316-1-0x00000000005C0000-0x00000000006BA000-memory.dmp

memory/2316-4-0x0000000000400000-0x00000000005B7000-memory.dmp

C:\Windows\INSTALL.EXE

MD5 98ec30e388040b2d6d113ba5dc684f74
SHA1 60373d7cf902d248eafd0644a8d61cfb38cc2057
SHA256 e1c6967b1f1cb994d746b67bc8baf7c1a683bfbdd18ffd6f44a5f86946a3e1e5
SHA512 5610a25a0ece9e7e906ba20b19faeb1f44ee2dab61c8edc7960a795fd00150ff8579882d08e8fc773b1db39461fb0428176d27793fa5e62b0d381cb218a0c569

\Users\Admin\AppData\Local\Temp\@D69.tmp

MD5 c3679c3ff636d1a6b8c65323540da371
SHA1 d184758721a426467b687bec2a4acc80fe44c6f8
SHA256 d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb
SHA512 494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

\Windows\SysWOW64\28463\WGQS.exe

MD5 17535dddecf8cb1efdba1f1952126547
SHA1 a862a9a3eb6c201751be1038537522a5281ea6cb
SHA256 1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd
SHA512 b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

C:\Windows\SysWOW64\28463\WGQS.007

MD5 b5a87d630436f958c6e1d82d15f98f96
SHA1 d3ff5e92198d4df0f98a918071aca53550bf1cff
SHA256 a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2
SHA512 fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

\Windows\SysWOW64\28463\WGQS.006

MD5 43f02e9974b1477c1e6388882f233db0
SHA1 f3e27b231193f8d5b2e1b09d05ae3a62795cf339
SHA256 3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba
SHA512 e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

C:\Windows\SysWOW64\28463\WGQS.001

MD5 e212a3850a57f23b3650c1d30a85d917
SHA1 3650abb4951a03cbfc36c19984a285dc921b875c
SHA256 0543787655e47c225f8a8328249347698a8713727068304063560b4c60960301
SHA512 55d2d84f896b81211af9316322657bbb472d453b7d714af43f944400a529b3f639f62c7f790482438e7ce396bbf86b7b846876a3650627461ce6735aa70ebb16

C:\Windows\SysWOW64\28463\AKV.exe

MD5 b8fa30233794772b8b76b4b1d91c7321
SHA1 0cf9561be2528944285e536f41d502be24c3aa87
SHA256 14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a
SHA512 10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

memory/2316-45-0x0000000000400000-0x00000000005B7000-memory.dmp

memory/2728-46-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2728-47-0x000000007798F000-0x0000000077990000-memory.dmp

memory/2728-43-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2316-42-0x0000000004CD0000-0x0000000004CD2000-memory.dmp

memory/2728-48-0x000000007798F000-0x0000000077990000-memory.dmp

C:\GLADIATUS.JPG

MD5 687d9933624943e77e0d639a27e2dc51
SHA1 e12e8f379c86982c53a2258a173524e146a0f111
SHA256 f8c240c4c21d772850f55c23d49bc6e01195e6f41cdf7a0dffa1af750026bbb0
SHA512 02b458aebae3d85a001f0f65384f0daeece9d6726efd3068b60947e210ae60bdfbc865ae8db32d975d3d0eb3d5c4c97aa576274c6f6ef490870e12f5b5e3b350

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 21:12

Reported

2024-01-21 21:14

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe"

Signatures

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe

"C:\Users\Admin\AppData\Local\Temp\6e088e7a3dc0f6811e96db94362db2c8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 296

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp

Files

memory/4424-0-0x0000000000400000-0x00000000005B7000-memory.dmp

memory/4424-1-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/4424-2-0x00000000022F0000-0x00000000023EA000-memory.dmp

memory/4424-3-0x0000000000400000-0x00000000005B7000-memory.dmp