Malware Analysis Report

2024-10-18 23:06

Sample ID 240725-bpl33ayhmq
Target LisectAVT_2403002B_365.exe
SHA256 bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc
Tags
ardamax defense_evasion discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc

Threat Level: Known bad

The file LisectAVT_2403002B_365.exe was found to be: Known bad.

Malicious Activity Summary

ardamax defense_evasion discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Indicator Removal: File Deletion

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 01:19

Reported

2024-07-25 01:21

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VJKT Agent = "C:\\Windows\\SysWOW64\\28463\\VJKT.exe" C:\Windows\SysWOW64\28463\VJKT.exe N/A

Checks installed software on the system

discovery

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\VJKT.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.001 C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.006 C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.007 C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.exe C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\VJKT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe"

C:\Windows\SysWOW64\28463\VJKT.exe

"C:\Windows\system32\28463\VJKT.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\VJKT.exe > nul

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@4E4F.tmp

MD5 13e10cd76f11d6cb43182dcba7370171
SHA1 e6b8ce329e49ff09f1cb529c60fc466cb9a579c8
SHA256 f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5
SHA512 ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

\Windows\SysWOW64\28463\VJKT.exe

MD5 3c90d45b1c004e86a7f7a7a340f1abc8
SHA1 10602c450bcbda2735dc036f2e399646f0c64f4c
SHA256 f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c
SHA512 85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

C:\Windows\SysWOW64\28463\AKV.exe

MD5 adbec81b510dcfe49835f95940ef961d
SHA1 77940f6e46fbd5f53de23bd49afe9172470769d0
SHA256 466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95
SHA512 ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

C:\Windows\SysWOW64\28463\VJKT.007

MD5 bc75eddaa64823014fef0fe70bd34ffc
SHA1 15cd2ace3b68257faed33c78b794b2333eab7c0a
SHA256 9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d
SHA512 20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

C:\Windows\SysWOW64\28463\VJKT.006

MD5 f5eff4f716427529b003207d5c953df5
SHA1 79696d6c8d67669ea690d240ef8978672e3d151c
SHA256 ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde
SHA512 5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

C:\Windows\SysWOW64\28463\VJKT.001

MD5 45c9c1fd5d288101ab70b2743ec22af2
SHA1 6f2dadc8b50474b72a1a69caec9c6f7058f7f064
SHA256 2bea9fb2f1dc3cf9b9c94f2c0508edd5c03b53eb5b8c577d9a94a19c3f96d926
SHA512 089fab266292f450c888517aa8d1ebbb4e1243b8f3bd4e7172e1030feb1b199cdf470b23f8fed94009a56750be31c7b03f86915fca42f376f38fe30f6137d7e3

memory/2900-23-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2768-28-0x00000000771FF000-0x0000000077200000-memory.dmp

memory/2768-31-0x0000000000200000-0x0000000000202000-memory.dmp

memory/2236-30-0x0000000002F30000-0x0000000002F32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\me ....jpg

MD5 896bc29111bf3746256e9a27db898086
SHA1 b75c61e7176f05355ddd1b0c8b67280a6d75d2cb
SHA256 57b7e8458953a802d503a8c4523cff52ec28158d6cad6ad5e7c3d770f25b9cbe
SHA512 2f898c8b699d862a9311dc18d4f4e2f433b601723ca96ef997445e5c5b366d456e34e8d8dd09f24b3394a4a3ed8585a7d6960e6523489e443a12400fdb6d5f6e

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 01:19

Reported

2024-07-25 01:22

Platform

win10v2004-20240709-en

Max time kernel

132s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\28463\VJKT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VJKT Agent = "C:\\Windows\\SysWOW64\\28463\\VJKT.exe" C:\Windows\SysWOW64\28463\VJKT.exe N/A

Checks installed software on the system

discovery

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\VJKT.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.001 C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.006 C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.007 C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.exe C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\28463\VJKT.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\VJKT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe

"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_365.exe"

C:\Windows\SysWOW64\28463\VJKT.exe

"C:\Windows\system32\28463\VJKT.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 1112

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\VJKT.exe > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@87ED.tmp

MD5 13e10cd76f11d6cb43182dcba7370171
SHA1 e6b8ce329e49ff09f1cb529c60fc466cb9a579c8
SHA256 f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5
SHA512 ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

C:\Windows\SysWOW64\28463\VJKT.exe

MD5 3c90d45b1c004e86a7f7a7a340f1abc8
SHA1 10602c450bcbda2735dc036f2e399646f0c64f4c
SHA256 f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c
SHA512 85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

C:\Windows\SysWOW64\28463\AKV.exe

MD5 adbec81b510dcfe49835f95940ef961d
SHA1 77940f6e46fbd5f53de23bd49afe9172470769d0
SHA256 466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95
SHA512 ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

C:\Windows\SysWOW64\28463\VJKT.001

MD5 45c9c1fd5d288101ab70b2743ec22af2
SHA1 6f2dadc8b50474b72a1a69caec9c6f7058f7f064
SHA256 2bea9fb2f1dc3cf9b9c94f2c0508edd5c03b53eb5b8c577d9a94a19c3f96d926
SHA512 089fab266292f450c888517aa8d1ebbb4e1243b8f3bd4e7172e1030feb1b199cdf470b23f8fed94009a56750be31c7b03f86915fca42f376f38fe30f6137d7e3

C:\Windows\SysWOW64\28463\VJKT.006

MD5 f5eff4f716427529b003207d5c953df5
SHA1 79696d6c8d67669ea690d240ef8978672e3d151c
SHA256 ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde
SHA512 5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

C:\Windows\SysWOW64\28463\VJKT.007

MD5 bc75eddaa64823014fef0fe70bd34ffc
SHA1 15cd2ace3b68257faed33c78b794b2333eab7c0a
SHA256 9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d
SHA512 20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

memory/1416-24-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1416-28-0x0000000000650000-0x0000000000651000-memory.dmp