Malware Analysis Report

2024-10-18 23:06

Sample ID 240726-f8lc4asdmf
Target bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe
SHA256 bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc
Tags
ardamax defense_evasion discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc

Threat Level: Known bad

The file bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe was found to be: Known bad.

Malicious Activity Summary

ardamax defense_evasion discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Indicator Removal: File Deletion

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 05:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 05:32

Reported

2024-07-26 05:35

Platform

win7-20240708-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VJKT Agent = "C:\\Windows\\SysWOW64\\28463\\VJKT.exe" C:\Windows\SysWOW64\28463\VJKT.exe N/A

Checks installed software on the system

discovery

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\VJKT.007 C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.exe C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\VJKT.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.001 C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.006 C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\VJKT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe

"C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe"

C:\Windows\SysWOW64\28463\VJKT.exe

"C:\Windows\system32\28463\VJKT.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\VJKT.exe > nul

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\@E62A.tmp

MD5 13e10cd76f11d6cb43182dcba7370171
SHA1 e6b8ce329e49ff09f1cb529c60fc466cb9a579c8
SHA256 f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5
SHA512 ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

\Windows\SysWOW64\28463\VJKT.exe

MD5 3c90d45b1c004e86a7f7a7a340f1abc8
SHA1 10602c450bcbda2735dc036f2e399646f0c64f4c
SHA256 f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c
SHA512 85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

C:\Windows\SysWOW64\28463\VJKT.007

MD5 bc75eddaa64823014fef0fe70bd34ffc
SHA1 15cd2ace3b68257faed33c78b794b2333eab7c0a
SHA256 9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d
SHA512 20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

C:\Windows\SysWOW64\28463\VJKT.006

MD5 f5eff4f716427529b003207d5c953df5
SHA1 79696d6c8d67669ea690d240ef8978672e3d151c
SHA256 ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde
SHA512 5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

C:\Windows\SysWOW64\28463\VJKT.001

MD5 45c9c1fd5d288101ab70b2743ec22af2
SHA1 6f2dadc8b50474b72a1a69caec9c6f7058f7f064
SHA256 2bea9fb2f1dc3cf9b9c94f2c0508edd5c03b53eb5b8c577d9a94a19c3f96d926
SHA512 089fab266292f450c888517aa8d1ebbb4e1243b8f3bd4e7172e1030feb1b199cdf470b23f8fed94009a56750be31c7b03f86915fca42f376f38fe30f6137d7e3

C:\Windows\SysWOW64\28463\AKV.exe

MD5 adbec81b510dcfe49835f95940ef961d
SHA1 77940f6e46fbd5f53de23bd49afe9172470769d0
SHA256 466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95
SHA512 ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

memory/3024-23-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2696-28-0x00000000774DF000-0x00000000774E0000-memory.dmp

memory/2808-30-0x0000000002E30000-0x0000000002E32000-memory.dmp

memory/2696-31-0x0000000000430000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\me ....jpg

MD5 896bc29111bf3746256e9a27db898086
SHA1 b75c61e7176f05355ddd1b0c8b67280a6d75d2cb
SHA256 57b7e8458953a802d503a8c4523cff52ec28158d6cad6ad5e7c3d770f25b9cbe
SHA512 2f898c8b699d862a9311dc18d4f4e2f433b601723ca96ef997445e5c5b366d456e34e8d8dd09f24b3394a4a3ed8585a7d6960e6523489e443a12400fdb6d5f6e

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 05:32

Reported

2024-07-26 05:35

Platform

win10v2004-20240709-en

Max time kernel

133s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\28463\VJKT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VJKT Agent = "C:\\Windows\\SysWOW64\\28463\\VJKT.exe" C:\Windows\SysWOW64\28463\VJKT.exe N/A

Checks installed software on the system

discovery

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\VJKT.006 C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.007 C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.exe C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\VJKT.exe N/A
File created C:\Windows\SysWOW64\28463\VJKT.001 C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\28463\VJKT.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\VJKT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\VJKT.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe

"C:\Users\Admin\AppData\Local\Temp\bcd456ec0191316b37352b0b390f296a2fb20ed1ba0d9a9701fc4083709b69cc.exe"

C:\Windows\SysWOW64\28463\VJKT.exe

"C:\Windows\system32\28463\VJKT.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1068

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\VJKT.exe > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\@7FBF.tmp

MD5 13e10cd76f11d6cb43182dcba7370171
SHA1 e6b8ce329e49ff09f1cb529c60fc466cb9a579c8
SHA256 f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5
SHA512 ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

C:\Windows\SysWOW64\28463\VJKT.exe

MD5 3c90d45b1c004e86a7f7a7a340f1abc8
SHA1 10602c450bcbda2735dc036f2e399646f0c64f4c
SHA256 f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c
SHA512 85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

C:\Windows\SysWOW64\28463\AKV.exe

MD5 adbec81b510dcfe49835f95940ef961d
SHA1 77940f6e46fbd5f53de23bd49afe9172470769d0
SHA256 466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95
SHA512 ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

C:\Windows\SysWOW64\28463\VJKT.007

MD5 bc75eddaa64823014fef0fe70bd34ffc
SHA1 15cd2ace3b68257faed33c78b794b2333eab7c0a
SHA256 9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d
SHA512 20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

C:\Windows\SysWOW64\28463\VJKT.006

MD5 f5eff4f716427529b003207d5c953df5
SHA1 79696d6c8d67669ea690d240ef8978672e3d151c
SHA256 ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde
SHA512 5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

C:\Windows\SysWOW64\28463\VJKT.001

MD5 45c9c1fd5d288101ab70b2743ec22af2
SHA1 6f2dadc8b50474b72a1a69caec9c6f7058f7f064
SHA256 2bea9fb2f1dc3cf9b9c94f2c0508edd5c03b53eb5b8c577d9a94a19c3f96d926
SHA512 089fab266292f450c888517aa8d1ebbb4e1243b8f3bd4e7172e1030feb1b199cdf470b23f8fed94009a56750be31c7b03f86915fca42f376f38fe30f6137d7e3

memory/2528-24-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2528-28-0x0000000000A70000-0x0000000000A71000-memory.dmp