Malware Analysis Report

2024-10-18 23:06

Sample ID 240726-1h285swfjk
Target 4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631
SHA256 4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631

Threat Level: Known bad

The file 4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 21:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 21:39

Reported

2024-07-26 21:42

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ko.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ko.exe N/A
N/A N/A C:\ko.exe N/A
N/A N/A C:\ko.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SAQB Agent = "C:\\Windows\\SysWOW64\\28463\\SAQB.exe" C:\Windows\SysWOW64\28463\SAQB.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\SAQB.007 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.exe C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\ko.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\SAQB.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.001 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.006 C:\ko.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe

"C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe"

C:\ko.exe

"C:\ko.exe"

C:\Windows\SysWOW64\28463\SAQB.exe

"C:\Windows\system32\28463\SAQB.exe"

Network

N/A

Files

C:\ko.exe

MD5 d90810f314bfd521a2efefc11936c0c2
SHA1 dc7aae03013b2cead6e1e1113dce87e5c48d792a
SHA256 395d117e2821e702b6d30ffcea59dabc71053a011796d610244b27304e580e33
SHA512 a1242594f5b4e379a1c1fba82a1c0855e6a9a68c7c1565b009c587cbf8bff1758e90f68707da2c9eef91371e1d649bb306d211ce0b2855c22c27cf32b6580029

\Users\Admin\AppData\Local\Temp\@E1A8.tmp

MD5 908f7f4b0cf93759447afca95cd84aa6
SHA1 d1903a49b211bcb4a460904019ee7441420aa961
SHA256 3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23
SHA512 958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

memory/2088-9-0x0000000000400000-0x0000000000438000-memory.dmp

\Windows\SysWOW64\28463\SAQB.exe

MD5 d7bd4739313a8e2fc9e080b7d0ba13b2
SHA1 808fcbe663bc02780b1d9962873a1e3066d55f05
SHA256 c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b
SHA512 d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

C:\Windows\SysWOW64\28463\AKV.exe

MD5 b0b09699ea39c0107af1c0833f07c054
SHA1 b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1
SHA256 be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1
SHA512 55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

C:\Windows\SysWOW64\28463\SAQB.001

MD5 3589585abc6d566fd05be470bfac1804
SHA1 35d67e1acea7776243c40a3c733665b812f020d1
SHA256 b04b82b1d1b39fc54c07a48fb8ebcfa52dc8c4f141ac368f5dad29c9688e6011
SHA512 8abe65bbce0b1f7a0154d3a4dec647083fd2271f9a01323e3ec7b7b1e8f3f7e3f2d51ba9a4c53619d8bbf8eb06972bee00942a0cc9d5be2dc355b6c50d608613

C:\Windows\SysWOW64\28463\SAQB.006

MD5 e0fcfa7cad88d1a8a462cee6b06cf668
SHA1 a7e49078517abc929a6da261df06556c8f5a8cf0
SHA256 340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4
SHA512 430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

C:\Windows\SysWOW64\28463\SAQB.007

MD5 ca72cd485d116033f1b776903ce7ee0a
SHA1 85b0b73a75b0498f56200dd1a5cf0de5371e42a3
SHA256 e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4
SHA512 8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

memory/2524-35-0x0000000000400000-0x000000000047B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 21:39

Reported

2024-07-26 21:42

Platform

win10v2004-20240709-en

Max time kernel

138s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\ko.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ko.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ko.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAQB Agent = "C:\\Windows\\SysWOW64\\28463\\SAQB.exe" C:\Windows\SysWOW64\28463\SAQB.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\SAQB.001 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.006 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.007 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.exe C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\ko.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\SAQB.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe

"C:\Users\Admin\AppData\Local\Temp\4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631.exe"

C:\ko.exe

"C:\ko.exe"

C:\Windows\SysWOW64\28463\SAQB.exe

"C:\Windows\system32\28463\SAQB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\ko.exe

MD5 d90810f314bfd521a2efefc11936c0c2
SHA1 dc7aae03013b2cead6e1e1113dce87e5c48d792a
SHA256 395d117e2821e702b6d30ffcea59dabc71053a011796d610244b27304e580e33
SHA512 a1242594f5b4e379a1c1fba82a1c0855e6a9a68c7c1565b009c587cbf8bff1758e90f68707da2c9eef91371e1d649bb306d211ce0b2855c22c27cf32b6580029

C:\Users\Admin\AppData\Local\Temp\@A76B.tmp

MD5 908f7f4b0cf93759447afca95cd84aa6
SHA1 d1903a49b211bcb4a460904019ee7441420aa961
SHA256 3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23
SHA512 958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

memory/3908-18-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\28463\SAQB.exe

MD5 d7bd4739313a8e2fc9e080b7d0ba13b2
SHA1 808fcbe663bc02780b1d9962873a1e3066d55f05
SHA256 c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b
SHA512 d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

C:\Windows\SysWOW64\28463\SAQB.007

MD5 ca72cd485d116033f1b776903ce7ee0a
SHA1 85b0b73a75b0498f56200dd1a5cf0de5371e42a3
SHA256 e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4
SHA512 8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

C:\Windows\SysWOW64\28463\SAQB.006

MD5 e0fcfa7cad88d1a8a462cee6b06cf668
SHA1 a7e49078517abc929a6da261df06556c8f5a8cf0
SHA256 340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4
SHA512 430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

memory/3600-34-0x0000000000950000-0x0000000000951000-memory.dmp

C:\Windows\SysWOW64\28463\SAQB.001

MD5 3589585abc6d566fd05be470bfac1804
SHA1 35d67e1acea7776243c40a3c733665b812f020d1
SHA256 b04b82b1d1b39fc54c07a48fb8ebcfa52dc8c4f141ac368f5dad29c9688e6011
SHA512 8abe65bbce0b1f7a0154d3a4dec647083fd2271f9a01323e3ec7b7b1e8f3f7e3f2d51ba9a4c53619d8bbf8eb06972bee00942a0cc9d5be2dc355b6c50d608613

C:\Windows\SysWOW64\28463\AKV.exe

MD5 b0b09699ea39c0107af1c0833f07c054
SHA1 b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1
SHA256 be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1
SHA512 55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796