ardamax | 889ade68a12b10b0da4c475ee17d713c42c87f351c7febd33a60e231ee0c6cca

General

Target

sucrose working/srose new.exe
Size

1.9MB
MD5

5742ea4de78005e529e1fbdfa83a2356
SHA1

880ff6373d8ab9d60657487d354f25d631c11121
SHA256

035afa353417b64a928baa6de04eb1c39e5d7a88d3f2802df4c40e5b9b6f9da7
SHA512

45133a6f8271fa4d1f9a280d436c43fed4ebd3ad7cdf5e13c9de7ae9c7970c77e2aebee8548cc4bbac0d053cce300d3d212df184739fd17cac3671bb580b90b5
SSDEEP

24576:6ZlEY11pwr39JeAzrjaoYfpBDVwVu4P8JxaNaYDXR5pzvczdzgGCd:QlEOpwL3eNoIeu4P8naNaipgzdzpCd

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000197e4-33.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2844	bypass.exe
2772	GUVJ.exe

Loads dropped DLL 7 IoCs

pid	Process
2684	srose new.exe
2684	srose new.exe
2844	bypass.exe
2844	bypass.exe
2844	bypass.exe
2772	GUVJ.exe
2772	GUVJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GUVJ Agent = "C:\\Windows\\SysWOW64\\28463\\GUVJ.exe"	GUVJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\GUVJ.001	bypass.exe
File created	C:\Windows\SysWOW64\28463\GUVJ.006	bypass.exe
File created	C:\Windows\SysWOW64\28463\GUVJ.007	bypass.exe
File created	C:\Windows\SysWOW64\28463\GUVJ.exe	bypass.exe
File opened for modification	C:\Windows\SysWOW64\28463	GUVJ.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bypass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GUVJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srose new.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2772	GUVJ.exe
Token: SeIncBasePriorityPrivilege	2772	GUVJ.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2684	srose new.exe
2772	GUVJ.exe
2772	GUVJ.exe
2772	GUVJ.exe
2772	GUVJ.exe
2772	GUVJ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2844	2684	srose new.exe	30
PID 2684 wrote to memory of 2844	2684	srose new.exe	30
PID 2684 wrote to memory of 2844	2684	srose new.exe	30
PID 2684 wrote to memory of 2844	2684	srose new.exe	30
PID 2844 wrote to memory of 2772	2844	bypass.exe	31
PID 2844 wrote to memory of 2772	2844	bypass.exe	31
PID 2844 wrote to memory of 2772	2844	bypass.exe	31
PID 2844 wrote to memory of 2772	2844	bypass.exe	31

C:\Users\Admin\AppData\Local\Temp\sucrose working\srose new.exe
"C:\Users\Admin\AppData\Local\Temp\sucrose working\srose new.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\sucrose working\bypass.exe
  "C:\Users\Admin\AppData\Local\Temp\sucrose working\bypass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\28463\GUVJ.exe
    "C:\Windows\system32\28463\GUVJ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sucrose working\bypass.exe

Filesize
300KB

MD5
2a82e71e49f54359f2db69a929eee58f

SHA1
23aa9563678acc6736cc47ffce195d91e746fce6

SHA256
9ea9f16d33637458a9e6fa3ec31a451f83cd9ca37f6d0042eb7b6dfe69121251

SHA512
191c174f82776385c82b9956d5a297426573dfbf6e6a794eb6a045159e6608593bb7d0698260c1a83e5a21cbb153ce52b505e37073155c0c6163369587f9203c

Download Submit
C:\Windows\SysWOW64\28463\GUVJ.001

Filesize
394B

MD5
fe8fcd2416a427234e006822f9976fc8

SHA1
811af16401f542e0e5915cc4c6fbbebc157371a8

SHA256
1d0f0a904c590c6f8d393639a2d93f91d56d26acc2ea740d7a5d371c8695c786

SHA512
a9cffb0781f0f10e223e061996874d351d2da44b8f510cd36282c62ebbbde239fced92b32c7477d88f3a911b37f377647ffe7375c5f0fa2c89534e47dc8eaf4a

Download Submit
C:\Windows\SysWOW64\28463\GUVJ.006

Filesize
8KB

MD5
aae8ccee5d5eed5748d13f474123efea

SHA1
6da78da4de3b99a55fad00be2ec53a3ad3bd06ae

SHA256
10c464d1675774e0282171555d59fb8975ed6c0e6a781182490f48e66823a5b8

SHA512
d370e1ffeeb81b3f07b83a9cf1e3b44635fde7aa6ac999bccafece8091dbf96f0a78257bb0e03b3689dc47fb4e96ec7deac7848a43ddef62afc9b8cc665ee8bd

Download Submit
C:\Windows\SysWOW64\28463\GUVJ.007

Filesize
5KB

MD5
40685d22d05d92462a2cfc1bba9a81b7

SHA1
f0e19012d0ed000148898b1e1264736bed438da8

SHA256
cdca1e5bc4c5129caa8eeddf637c820b6241c8790ce1a341e38e8324ae95afa0

SHA512
21961d2dd118b45bde4cf00b4570712791a22769d05afb5b6c54355b0aaee9b7f7de00b357845349ef957807452365134d51e11181d2d45f98ed0cc9402de90b

Download Submit
C:\Windows\SysWOW64\28463\GUVJ.exe

Filesize
473KB

MD5
339ae4ce820cda75bbb363b2ed1c06fd

SHA1
62399c6102cc98ed66cbcd88a63ff870cf7b2100

SHA256
1e4a463ac0d463cee1f52f9529474484157c85d671aea1ab5f4173df12de01b6

SHA512
5da8b333a839c4b169c6f4c9a1929918f166a895af7818c8223df7ed22279aac3b6ef88f89ee083a4f475f82ec6078f8e9800a9afc9547712245d090636a284a

Download Submit
\Users\Admin\AppData\Local\Temp\@75BC.tmp

Filesize
4KB

MD5
27092ec75c1839f36bfe900a38acc484

SHA1
fe14b750a0ed653246c5f358891f8c1241913bb2

SHA256
e6e29699840ae26c452227f9a1c9fd0e3cda0c2413c4255df9fc066c47af0e07

SHA512
815477e8681e38dd3110171adbaf06738eb9d63839671a959a296ec1a1fb17d788682dde5e6a1f0bffa3b4deda4577292ffa37ce10b95ad14276ffcd0795ac0b

Download Submit
memory/2772-34-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2772-37-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads