ardamax | bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc

General

Target

LisectAVT_2403002B_365.exe
Size

518KB
MD5

dce073cd2cfbb0567e0b5c312c651194
SHA1

cb90eaf798f5abcad2d83118b1414d213d770e7d
SHA256

bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc
SHA512

4c4216bc6f5e59bdb2589458a027e3cd6fdb939f9fe3bd2f7c1ef5d5c87d186b1a78c6502da960aea0a9c5c865b9a2ad6c72d15f9e98aec50e2694c2df32788f
SSDEEP

12288:5lXdTh+rBLj6GwZitbzbTOQWpXAShDtrjQPp:vdTh+rF2GwItbzbTOd9DtrjQB

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d21-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2900	VJKT.exe

Loads dropped DLL 8 IoCs

pid	Process
2236	LisectAVT_2403002B_365.exe
2236	LisectAVT_2403002B_365.exe
2236	LisectAVT_2403002B_365.exe
2900	VJKT.exe
2900	VJKT.exe
2768	DllHost.exe
2768	DllHost.exe
2236	LisectAVT_2403002B_365.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VJKT Agent = "C:\\Windows\\SysWOW64\\28463\\VJKT.exe"	VJKT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	VJKT.exe
File created	C:\Windows\SysWOW64\28463\VJKT.001	LisectAVT_2403002B_365.exe
File created	C:\Windows\SysWOW64\28463\VJKT.006	LisectAVT_2403002B_365.exe
File created	C:\Windows\SysWOW64\28463\VJKT.007	LisectAVT_2403002B_365.exe
File created	C:\Windows\SysWOW64\28463\VJKT.exe	LisectAVT_2403002B_365.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	LisectAVT_2403002B_365.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VJKT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002B_365.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2900	VJKT.exe
Token: SeIncBasePriorityPrivilege	2900	VJKT.exe
Token: SeIncBasePriorityPrivilege	2900	VJKT.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2768	DllHost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2900	VJKT.exe
2900	VJKT.exe
2900	VJKT.exe
2900	VJKT.exe
2900	VJKT.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2900	2236	LisectAVT_2403002B_365.exe	30
PID 2236 wrote to memory of 2900	2236	LisectAVT_2403002B_365.exe	30
PID 2236 wrote to memory of 2900	2236	LisectAVT_2403002B_365.exe	30
PID 2236 wrote to memory of 2900	2236	LisectAVT_2403002B_365.exe	30
PID 2900 wrote to memory of 2544	2900	VJKT.exe	32
PID 2900 wrote to memory of 2544	2900	VJKT.exe	32
PID 2900 wrote to memory of 2544	2900	VJKT.exe	32
PID 2900 wrote to memory of 2544	2900	VJKT.exe	32

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\28463\VJKT.exe
  "C:\Windows\system32\28463\VJKT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\VJKT.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\me ....jpg

Filesize
8KB

MD5
896bc29111bf3746256e9a27db898086

SHA1
b75c61e7176f05355ddd1b0c8b67280a6d75d2cb

SHA256
57b7e8458953a802d503a8c4523cff52ec28158d6cad6ad5e7c3d770f25b9cbe

SHA512
2f898c8b699d862a9311dc18d4f4e2f433b601723ca96ef997445e5c5b366d456e34e8d8dd09f24b3394a4a3ed8585a7d6960e6523489e443a12400fdb6d5f6e

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adbec81b510dcfe49835f95940ef961d

SHA1
77940f6e46fbd5f53de23bd49afe9172470769d0

SHA256
466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

SHA512
ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

Download Submit
C:\Windows\SysWOW64\28463\VJKT.001

Filesize
378B

MD5
45c9c1fd5d288101ab70b2743ec22af2

SHA1
6f2dadc8b50474b72a1a69caec9c6f7058f7f064

SHA256
2bea9fb2f1dc3cf9b9c94f2c0508edd5c03b53eb5b8c577d9a94a19c3f96d926

SHA512
089fab266292f450c888517aa8d1ebbb4e1243b8f3bd4e7172e1030feb1b199cdf470b23f8fed94009a56750be31c7b03f86915fca42f376f38fe30f6137d7e3

Download Submit
C:\Windows\SysWOW64\28463\VJKT.006

Filesize
8KB

MD5
f5eff4f716427529b003207d5c953df5

SHA1
79696d6c8d67669ea690d240ef8978672e3d151c

SHA256
ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

SHA512
5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

Download Submit
C:\Windows\SysWOW64\28463\VJKT.007

Filesize
5KB

MD5
bc75eddaa64823014fef0fe70bd34ffc

SHA1
15cd2ace3b68257faed33c78b794b2333eab7c0a

SHA256
9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

SHA512
20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

Download Submit
\Users\Admin\AppData\Local\Temp\@4E4F.tmp

Filesize
4KB

MD5
13e10cd76f11d6cb43182dcba7370171

SHA1
e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

SHA256
f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

SHA512
ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

Download Submit
\Windows\SysWOW64\28463\VJKT.exe

Filesize
473KB

MD5
3c90d45b1c004e86a7f7a7a340f1abc8

SHA1
10602c450bcbda2735dc036f2e399646f0c64f4c

SHA256
f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

SHA512
85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

Download Submit
memory/2236-30-0x0000000002F30000-0x0000000002F32000-memory.dmp

Filesize
8KB

Download
memory/2768-28-0x00000000771FF000-0x0000000077200000-memory.dmp

Filesize
4KB

Download
memory/2768-31-0x0000000000200000-0x0000000000202000-memory.dmp

Filesize
8KB

Download
memory/2900-23-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads