ardamax | dcf17478f68747f86b700d851264b320ee6da328e5727dca1b31d442a3732fc0

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChipF2/Install.exe
Size

567KB
MD5

8aab1cda67f5a739ccf4b770b9c252bc
SHA1

e1944e75a61572e0868746908025132c7d496ddc
SHA256

8ff446f870cb449b04c9f354c5a9b492b3edc916c650e52318a24c11f80444bd
SHA512

6c156dbedf6659f36dc084ca2a4282212062b1afe561288b069b3c33fa7c80520cc714b6cdcf96cde244190b90d4033b29dc3c4d473e9de437869a0b7f0a1fd9
SSDEEP

12288:xE6AVFSQnlAc1oA7musIaxY+xYDlyR1qUMFrXu+2lhLa6f5d8fpmebz1:oVtppnanIUMFrulR/5dqR

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral9/files/0x0005000000019624-19.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2476	DWUD.exe

Loads dropped DLL 6 IoCs

pid	Process
1748	Install.exe
1748	Install.exe
2476	DWUD.exe
2476	DWUD.exe
2476	DWUD.exe
2476	DWUD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DWUD Agent = "C:\\Windows\\SysWOW64\\28463\\DWUD.exe"	DWUD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\DWUD.001	Install.exe
File created	C:\Windows\SysWOW64\28463\DWUD.006	Install.exe
File created	C:\Windows\SysWOW64\28463\DWUD.007	Install.exe
File created	C:\Windows\SysWOW64\28463\DWUD.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	DWUD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DWUD.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\InProcServer32\	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\ProgID\	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\TypeLib\ = "{AC2036B6-6804-10B0-951E-CE97ED937095}"	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\InProcServer32\ = "%SystemRoot%\\SysWow64\\msxml3.dll"	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\Version\ = "3.0"	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\ProgID	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\0	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\0\win32\	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\wbem\\servdeps.dll"	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\HELPDIR\ = "%SystemRoot%\\SysWow64\\wbem\\"	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\VersionIndependentProgID	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\0\win32	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\TypeLib\	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\Version\	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\VersionIndependentProgID\	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\VersionIndependentProgID\ = "Msxml2.ServerXMLHTTP"	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\ = "Joqep.Fexoba.Fobemej"	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\ProgID\ = "Msxml2.ServerXMLHTTP.3.0"	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\ = "ServDeps 1.0 Type Library"	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\0\	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\FLAGS	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\HELPDIR\	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\TypeLib	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\InProcServer32	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\FLAGS\	DWUD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\FLAGS\ = "0"	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC2036B6-6804-10B0-951E-CE97ED937095}\1.0\HELPDIR	DWUD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BBD4E7A-2816-477A-8487-1BCDE5BDA6CA}\Version	DWUD.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2476	DWUD.exe
Token: SeIncBasePriorityPrivilege	2476	DWUD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2476	DWUD.exe
2476	DWUD.exe
2476	DWUD.exe
2476	DWUD.exe
2476	DWUD.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2476	1748	Install.exe	30
PID 1748 wrote to memory of 2476	1748	Install.exe	30
PID 1748 wrote to memory of 2476	1748	Install.exe	30
PID 1748 wrote to memory of 2476	1748	Install.exe	30
PID 1748 wrote to memory of 2476	1748	Install.exe	30
PID 1748 wrote to memory of 2476	1748	Install.exe	30
PID 1748 wrote to memory of 2476	1748	Install.exe	30

C:\Users\Admin\AppData\Local\Temp\ChipF2\Install.exe
"C:\Users\Admin\AppData\Local\Temp\ChipF2\Install.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\28463\DWUD.exe
  "C:\Windows\system32\28463\DWUD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\DWUD.001

Filesize
380B

MD5
29c0b28e6a1df51c2c65d93fc248d62a

SHA1
d4e17ed5442a44c0f6f2aa9a64f5e261dc415e85

SHA256
f31928ae5cb5b8f0c650dc92934688a6d70005f297190df246c79dc89347f3f7

SHA512
ccebf364780097ec0ea234d4051db06b2cb3ad3cf50b9e980ca1dc78f582179376e21c71587181683c77550d29860a90fb3023f8a7fbc3acee397afdbdb1b835

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@8BDB.tmp

Filesize
4KB

MD5
2edeacb33f56af3ef5395d72e1ce1e7e

SHA1
452986cfb1d19ffee51dd827e620d3669133a2dd

SHA256
fb1b34f7019ce4cdb95b0a95744d69ba4843480ada1c5a13d694dc094d994441

SHA512
650cfcdcc848b05be816f224301e1f91293024767edb32cfc140b73030f33f6dd7311f25ea5b2716eaab891ba342c8e9429652f45497e9f3d9031f83bb996301

Download Submit
\Windows\SysWOW64\28463\DWUD.006

Filesize
8KB

MD5
a7d56ebb7d4df6da32fd0eb2cbb01c8d

SHA1
9649efa83dec688d20733e73706ab45469877dec

SHA256
e8f58299afe568e8f28c1775597b410eb2692c09f2113345a36d6940c623ad83

SHA512
52daef6e65ad7132a2fcd28b7d5580f18eba107cf86134db88137d70db86b9b8cc080fdc63c8cb3e5d381274624a885e707b3191bdcd53bd20845da62076cda6

Download Submit
\Windows\SysWOW64\28463\DWUD.007

Filesize
5KB

MD5
33713b71361b69fff8125c8a4f327716

SHA1
cc7870a3671ea4ff0d3a04f7372e82d10e497ecb

SHA256
8cfcbace29a286d3bd1b42683ac7a4c384440d2cac16fc7b87c7135d59a526b9

SHA512
8b7f214122d368d66eda0ff1be54dc2c9b3d73d37e2e143d80b8c382758eeb2568d5a55ba1f1b3f1e1b8981d22708178f5f0e21b14d384dd2c214fe7569b3e4f

Download Submit
\Windows\SysWOW64\28463\DWUD.exe

Filesize
649KB

MD5
22c27e66d6fa15ec1230ab9544c03ed7

SHA1
048c618c233a90fdbb7acb64abcbeead5e6ef350

SHA256
1b383815dcf2f514bc75338def0c2e8770eeae23f3c00521b09aa2570cdc3772

SHA512
5d8a6bf322dc84226a5ea14824f209815d54bd7acef9feba0719b497e99d24935d0214022a21a3903b814809aa83e868a6db3683b681874c7d7f25f0aeada9ca

Download Submit
memory/1748-15-0x0000000002950000-0x0000000002A2F000-memory.dmp

Filesize
892KB

Download
memory/2476-26-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2476-22-0x0000000000493000-0x0000000000494000-memory.dmp

Filesize
4KB

Download
memory/2476-21-0x00000000004E0000-0x00000000005BF000-memory.dmp

Filesize
892KB

Download
memory/2476-20-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2476-23-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2476-25-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2476-27-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2476-33-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2476-34-0x00000000004E0000-0x00000000005BF000-memory.dmp

Filesize
892KB

Download
memory/2476-35-0x0000000000493000-0x0000000000494000-memory.dmp

Filesize
4KB

Download
memory/2476-39-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads