ardamax | 5a439800753dd638e7370a4ae6d00df9c1c6e89d65091bfa8dbab58fe744f3ec

General

Target

17a2d979f483e651c3b70d201cff9d2a.exe
Size

1.3MB
MD5

17a2d979f483e651c3b70d201cff9d2a
SHA1

9ad966e3ac62b3a14d6c8f5ae680f14abdff689d
SHA256

5a439800753dd638e7370a4ae6d00df9c1c6e89d65091bfa8dbab58fe744f3ec
SHA512

31346bbc3876ee35f3c13c431350a78b1ffdf1d1ece5ba222568a2ed6410a976c903d56db018c748ab88da073e1d38d00b7e45efd07b350db48c8e6c00c42eae
SSDEEP

24576:P+M5wUizYZbKsBIAXjFBk4GnznTA5e5bGMPAZAWDjssl:GxUiEZbKrtzTHbGMP6AWLl

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000149ec-30.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2608	HXR.exe

Loads dropped DLL 4 IoCs

pid	Process
2800	17a2d979f483e651c3b70d201cff9d2a.exe
2608	HXR.exe
2528	DllHost.exe
2800	17a2d979f483e651c3b70d201cff9d2a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HXR Start = "C:\\Windows\\SysWOW64\\NPDUBP\\HXR.exe"	HXR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NPDUBP\	HXR.exe
File created	C:\Windows\SysWOW64\NPDUBP\HXR.008	HXR.exe
File opened for modification	C:\Windows\SysWOW64\NPDUBP\HXR.008	HXR.exe
File created	C:\Windows\SysWOW64\NPDUBP\HXR.004	17a2d979f483e651c3b70d201cff9d2a.exe
File created	C:\Windows\SysWOW64\NPDUBP\HXR.001	17a2d979f483e651c3b70d201cff9d2a.exe
File created	C:\Windows\SysWOW64\NPDUBP\HXR.002	17a2d979f483e651c3b70d201cff9d2a.exe
File created	C:\Windows\SysWOW64\NPDUBP\AKV.exe	17a2d979f483e651c3b70d201cff9d2a.exe
File created	C:\Windows\SysWOW64\NPDUBP\HXR.exe	17a2d979f483e651c3b70d201cff9d2a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2608	HXR.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2608	HXR.exe
Token: SeIncBasePriorityPrivilege	2608	HXR.exe
Token: SeIncBasePriorityPrivilege	2608	HXR.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2528	DllHost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1476	17a2d979f483e651c3b70d201cff9d2a.exe
2608	HXR.exe
2608	HXR.exe
2608	HXR.exe
2608	HXR.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 1476 wrote to memory of 2800	1476	17a2d979f483e651c3b70d201cff9d2a.exe	28
PID 2800 wrote to memory of 2608	2800	17a2d979f483e651c3b70d201cff9d2a.exe	29
PID 2800 wrote to memory of 2608	2800	17a2d979f483e651c3b70d201cff9d2a.exe	29
PID 2800 wrote to memory of 2608	2800	17a2d979f483e651c3b70d201cff9d2a.exe	29
PID 2800 wrote to memory of 2608	2800	17a2d979f483e651c3b70d201cff9d2a.exe	29
PID 2608 wrote to memory of 560	2608	HXR.exe	33
PID 2608 wrote to memory of 560	2608	HXR.exe	33
PID 2608 wrote to memory of 560	2608	HXR.exe	33
PID 2608 wrote to memory of 560	2608	HXR.exe	33

C:\Users\Admin\AppData\Local\Temp\17a2d979f483e651c3b70d201cff9d2a.exe
"C:\Users\Admin\AppData\Local\Temp\17a2d979f483e651c3b70d201cff9d2a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\17a2d979f483e651c3b70d201cff9d2a.exe
  C:\Users\Admin\AppData\Local\Temp\17a2d979f483e651c3b70d201cff9d2a.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\NPDUBP\HXR.exe
    "C:\Windows\system32\NPDUBP\HXR.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\NPDUBP\HXR.exe > nul
      4⤵
      PID:560

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pegadinha_do_malandro.jpg

Filesize
114KB

MD5
d86e574fb1b0d18ee49bd836c122e05d

SHA1
1cdffdf20d165b70404c5391e9b95a481d3f4e39

SHA256
de7e5705beee6b553ea5242598257f9c035411ebe2099fc7909f36b5c8bed167

SHA512
e11fc616ec93d7cb8ea0db8cd88e41bdd6e1dab340a620a6658fcb7528fedc466bc8f5b089367292bedf32c3d2160566f235d833d528d1d5fcf9fe270f62edc8

Download Submit
C:\Windows\SysWOW64\NPDUBP\AKV.exe

Filesize
489KB

MD5
0725c70d7b45945089905464a2710dc8

SHA1
a47223eb378919afc8c2a6af6b031bca12eacaae

SHA256
5340cf0385c1ccf9a5f01e9bbcb68474d5760c1c60bd87772fbd8a498208a3c5

SHA512
3b95b3c582c2df9a59c2aaa5e9f04ea093dda8b53a7df4b966d46c6f61643e8beed3e3cca0e784301f5f14ea17e2520ecf10dca0ae805e5b31bd51ac94d10888

Download Submit
C:\Windows\SysWOW64\NPDUBP\HXR.001

Filesize
61KB

MD5
513c67ebf0379f75a6920540283a4579

SHA1
2fe191acb478d62026a8dbf63f65619d168ddee6

SHA256
8f636876880c59251548fca626731e648553e0b81b02f4667c22cbfadfbd6e30

SHA512
2330f5bbd8d7de91473430bc35a125fe13b261afa5b4ef9533d4d6ebcde6cfe27f705fccbdefa092eb9123eb33dcc1448deab72adab981726517afe458beb01d

Download Submit
C:\Windows\SysWOW64\NPDUBP\HXR.002

Filesize
44KB

MD5
1db8aa9ffda07a5f5559cbf25087147b

SHA1
eea77894bff8e24fb0861159927f67decb629184

SHA256
8cf369255b48195b8ecec1c7bf2e76924641880aa7311e6cf504ca534bbfcd62

SHA512
b9f80191dd8975c2e484eeec1bc7c6212d1b614061e69d96eda87b7a061a78a34de220f22607c3eb1c0fa37f152744a5c8f65a896e2884a9daf969db54a11704

Download Submit
C:\Windows\SysWOW64\NPDUBP\HXR.004

Filesize
1KB

MD5
0059594411f8401779741ebb6cf25984

SHA1
36bcf7794cffd0a7403e59b4bff76786587a1033

SHA256
b14208c50180b8709afcf8640b0e0458bcc17ebc43175ec35c40f3d95d98f909

SHA512
dedf667cf06c3b3cd92ac21c68da3bcbbfdfc7fdf8bc08e147af1f6a7cfb40b5508666b1d6afbface05e5a833c8e58f41518473d4319658d8788c446a31591d0

Download Submit
\Windows\SysWOW64\NPDUBP\HXR.exe

Filesize
1.7MB

MD5
7dc8f94e34ad6f38e94f957043c39617

SHA1
081a26dc478bd3de6f2889b9c8da8b2e79723d8b

SHA256
618fb51d23c0ca116dbd24dc5e0240ebda862e405283d64871549321fde08202

SHA512
539c239670369f34e7907d072bdf6b91becb927454db3212b0c307363289b1900edffa2f9fac22d3d14435fcee28b7bdeee1f039f027d74f84627c85774b9f56

Download Submit
memory/1476-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1476-22-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2528-51-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2608-59-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2608-40-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2608-42-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2608-43-0x0000000000290000-0x00000000002CA000-memory.dmp

Filesize
232KB

Download
memory/2608-62-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2800-21-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-7-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-9-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-12-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-13-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-15-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-50-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/2800-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-57-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-28-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-18-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2800-5-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads