Malware Analysis Report

2024-10-18 23:04

Sample ID 240126-gdwq1sgeek
Target 7689cfe186b8b43b5ac237f0d7ae3d13
SHA256 78c94b57ea5e7dbf7c47bf19e7248d828a0669255dd2019cdf155d89b790d348
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78c94b57ea5e7dbf7c47bf19e7248d828a0669255dd2019cdf155d89b790d348

Threat Level: Known bad

The file 7689cfe186b8b43b5ac237f0d7ae3d13 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 05:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 05:41

Reported

2024-01-26 05:44

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AJAJ Agent = "C:\\Windows\\SysWOW64\\28463\\AJAJ.exe" C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\AJAJ.001 C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File created C:\Windows\SysWOW64\28463\AJAJ.006 C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File created C:\Windows\SysWOW64\28463\AJAJ.007 C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File created C:\Windows\SysWOW64\28463\AJAJ.exe C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe

"C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe"

C:\Windows\SysWOW64\28463\AJAJ.exe

"C:\Windows\system32\28463\AJAJ.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@E53.tmp

MD5 25530555085337eb644b061f239aa9d4
SHA1 8d91e099aba5439d4bfa8bce464c94e3e1acf620
SHA256 3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325
SHA512 b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

\Windows\SysWOW64\28463\AJAJ.exe

MD5 97d8ad45f48b4b28a93aab94699b7168
SHA1 8b69b7fd7c008b95d12386f6da415097e72151de
SHA256 661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331
SHA512 3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

C:\Windows\SysWOW64\28463\AJAJ.001

MD5 7f31d4225e4c9e1bd8bb9ac4ff526d4a
SHA1 bca36835166510af37cc1df7fd8fc5a0996b0124
SHA256 cb8a2a97d65e5066f4cdc1bed33546d7122863cde96c2e1df36bbcd521e184a9
SHA512 4cce4b9de993792655fc0434ca286f7ed5f0b222c6cfe667351395a04d2abd0a44a3f57b884d7dc2bb977574c2125d74c4626f2a4f3494f1ce9c8d923852f056

C:\Windows\SysWOW64\28463\AKV.exe

MD5 d63cc8679a63448db1c64252e14e4ab5
SHA1 10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e
SHA256 29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d
SHA512 cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

\Windows\SysWOW64\28463\AJAJ.007

MD5 e9fbdcc2f5fb657fa519b3f5c69fc52d
SHA1 c49cca77b46a59d620711de7564d43e5dafcd2b5
SHA256 cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4
SHA512 913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

\Windows\SysWOW64\28463\AJAJ.006

MD5 81e20f4361cf8f5a57812871c24d945e
SHA1 5d7877d6959ab26599b05795a71633f00c37a3da
SHA256 e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d
SHA512 69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

memory/1404-24-0x00000000003F0000-0x00000000003F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 05:41

Reported

2024-01-26 05:44

Platform

win10v2004-20231215-en

Max time kernel

137s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AJAJ Agent = "C:\\Windows\\SysWOW64\\28463\\AJAJ.exe" C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\AJAJ.006 C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File created C:\Windows\SysWOW64\28463\AJAJ.007 C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File created C:\Windows\SysWOW64\28463\AJAJ.exe C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\AJAJ.exe N/A
File created C:\Windows\SysWOW64\28463\AJAJ.001 C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\AJAJ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe

"C:\Users\Admin\AppData\Local\Temp\7689cfe186b8b43b5ac237f0d7ae3d13.exe"

C:\Windows\SysWOW64\28463\AJAJ.exe

"C:\Windows\system32\28463\AJAJ.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@F32A.tmp

MD5 25530555085337eb644b061f239aa9d4
SHA1 8d91e099aba5439d4bfa8bce464c94e3e1acf620
SHA256 3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325
SHA512 b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

C:\Windows\SysWOW64\28463\AJAJ.exe

MD5 97d8ad45f48b4b28a93aab94699b7168
SHA1 8b69b7fd7c008b95d12386f6da415097e72151de
SHA256 661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331
SHA512 3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

C:\Windows\SysWOW64\28463\AJAJ.001

MD5 7f31d4225e4c9e1bd8bb9ac4ff526d4a
SHA1 bca36835166510af37cc1df7fd8fc5a0996b0124
SHA256 cb8a2a97d65e5066f4cdc1bed33546d7122863cde96c2e1df36bbcd521e184a9
SHA512 4cce4b9de993792655fc0434ca286f7ed5f0b222c6cfe667351395a04d2abd0a44a3f57b884d7dc2bb977574c2125d74c4626f2a4f3494f1ce9c8d923852f056

C:\Windows\SysWOW64\28463\AJAJ.006

MD5 81e20f4361cf8f5a57812871c24d945e
SHA1 5d7877d6959ab26599b05795a71633f00c37a3da
SHA256 e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d
SHA512 69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

C:\Windows\SysWOW64\28463\AJAJ.007

MD5 e9fbdcc2f5fb657fa519b3f5c69fc52d
SHA1 c49cca77b46a59d620711de7564d43e5dafcd2b5
SHA256 cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4
SHA512 913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

C:\Windows\SysWOW64\28463\AKV.exe

MD5 d63cc8679a63448db1c64252e14e4ab5
SHA1 10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e
SHA256 29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d
SHA512 cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768

memory/1068-23-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1068-27-0x0000000000650000-0x0000000000651000-memory.dmp