Malware Analysis Report

2024-10-18 23:04

Sample ID 240122-rlt79shba2
Target 6fa3640b87e3fc4235541f837ce809f0
SHA256 27e944668c75a6ccd01bb5e97ee645132f8fbfd90da6a9380a92eb51f7827905
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27e944668c75a6ccd01bb5e97ee645132f8fbfd90da6a9380a92eb51f7827905

Threat Level: Known bad

The file 6fa3640b87e3fc4235541f837ce809f0 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 14:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 14:17

Reported

2024-01-22 14:19

Platform

win7-20231215-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HOKL Agent = "C:\\Windows\\SysWOW64\\28463\\HOKL.exe" C:\Windows\SysWOW64\28463\HOKL.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\HOKL.001 C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A
File created C:\Windows\SysWOW64\28463\HOKL.006 C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A
File created C:\Windows\SysWOW64\28463\HOKL.007 C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A
File created C:\Windows\SysWOW64\28463\HOKL.exe C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\HOKL.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe

"C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe"

C:\Windows\SysWOW64\28463\HOKL.exe

"C:\Windows\system32\28463\HOKL.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@A9B.tmp

MD5 c3679c3ff636d1a6b8c65323540da371
SHA1 d184758721a426467b687bec2a4acc80fe44c6f8
SHA256 d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb
SHA512 494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

C:\Windows\SysWOW64\28463\HOKL.exe

MD5 17535dddecf8cb1efdba1f1952126547
SHA1 a862a9a3eb6c201751be1038537522a5281ea6cb
SHA256 1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd
SHA512 b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

\Windows\SysWOW64\28463\HOKL.006

MD5 43f02e9974b1477c1e6388882f233db0
SHA1 f3e27b231193f8d5b2e1b09d05ae3a62795cf339
SHA256 3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba
SHA512 e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

\Windows\SysWOW64\28463\HOKL.007

MD5 b5a87d630436f958c6e1d82d15f98f96
SHA1 d3ff5e92198d4df0f98a918071aca53550bf1cff
SHA256 a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2
SHA512 fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

memory/2208-22-0x0000000000250000-0x0000000000251000-memory.dmp

C:\Windows\SysWOW64\28463\HOKL.001

MD5 b25268c585d62811e37981077ac364dd
SHA1 edbda834345b40b89a158e4118776e70939ffef1
SHA256 54a3959108737215b9ba183902ac45bd2e204007e66de339bee6cf058a848d11
SHA512 a8d18a4c037bc2d98d3258567eda8da2abbadaab499b154158b86bef1d76e888d623bdb2a3b8f6c10313a30675c3f2c3cd432f854dc4013057e0622066922bec

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 14:17

Reported

2024-01-22 14:19

Platform

win10v2004-20231222-en

Max time kernel

93s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HOKL Agent = "C:\\Windows\\SysWOW64\\28463\\HOKL.exe" C:\Windows\SysWOW64\28463\HOKL.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\HOKL.001 C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A
File created C:\Windows\SysWOW64\28463\HOKL.006 C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A
File created C:\Windows\SysWOW64\28463\HOKL.007 C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A
File created C:\Windows\SysWOW64\28463\HOKL.exe C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\HOKL.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\HOKL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe

"C:\Users\Admin\AppData\Local\Temp\6fa3640b87e3fc4235541f837ce809f0.exe"

C:\Windows\SysWOW64\28463\HOKL.exe

"C:\Windows\system32\28463\HOKL.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@50FE.tmp

MD5 c3679c3ff636d1a6b8c65323540da371
SHA1 d184758721a426467b687bec2a4acc80fe44c6f8
SHA256 d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb
SHA512 494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

C:\Windows\SysWOW64\28463\HOKL.exe

MD5 7b4a7886f756a0d4d968bf4f1b9743d7
SHA1 6e4119b2deb064e4c21d2469d3d49c8cd7238dbe
SHA256 01dfe6bf3decb0445791ec01c0c5e02e8ad37a5a6e43a1a9d2178ffb0a0ac4e7
SHA512 4afd9d55b64d1411934f8680d81af854bf0416030395ac77e2192b8cf28391a181c6941eebf0ec7d3dfe4fe5ffdae6614d35870d0ba857074b7a9327a29b3ebb

C:\Windows\SysWOW64\28463\HOKL.exe

MD5 0b4f8268577045d4198ca314ef419435
SHA1 06fd0d70b652830eef3e6022f2b4ac56d96cf694
SHA256 6d65cdd37ba2acbda1c77824a5a59c55f574c2ec230ab5130b4d76bf3d07e29a
SHA512 ff3aa38c664eba3d9564de3373d0d562559d74f65f6a1b2bc2f765d926f34ef808c6af78808a149bb42ea09d82a8a247c04284db52691dd8ad9bf53eded26143

C:\Windows\SysWOW64\28463\HOKL.exe

MD5 145b2fc041b36d626097991d04523718
SHA1 59447ef7b56d5258d6eec5f474e85c32d7bab410
SHA256 d08858109a542118d3367686157b9c8d7689f8ba318334475600db2bdb77eeea
SHA512 c9c8fa7cf93f71ef0905526c3a0abe3b7c8b66cbddede0aae72a94667ac5263e013e1232ff1472d9c0bb1522e8fb442a3c3ad2d955eda8d9441ccbd88c84d7fe

C:\Windows\SysWOW64\28463\HOKL.007

MD5 b5a87d630436f958c6e1d82d15f98f96
SHA1 d3ff5e92198d4df0f98a918071aca53550bf1cff
SHA256 a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2
SHA512 fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

C:\Windows\SysWOW64\28463\HOKL.006

MD5 43f02e9974b1477c1e6388882f233db0
SHA1 f3e27b231193f8d5b2e1b09d05ae3a62795cf339
SHA256 3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba
SHA512 e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

memory/4412-21-0x0000000000A70000-0x0000000000A71000-memory.dmp

C:\Windows\SysWOW64\28463\HOKL.001

MD5 b25268c585d62811e37981077ac364dd
SHA1 edbda834345b40b89a158e4118776e70939ffef1
SHA256 54a3959108737215b9ba183902ac45bd2e204007e66de339bee6cf058a848d11
SHA512 a8d18a4c037bc2d98d3258567eda8da2abbadaab499b154158b86bef1d76e888d623bdb2a3b8f6c10313a30675c3f2c3cd432f854dc4013057e0622066922bec

memory/4412-25-0x0000000000A70000-0x0000000000A71000-memory.dmp