Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ArdamaxKey...18.exe

windows7-x64

10

ArdamaxKey...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2024, 11:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe

  • Size

    783KB

  • MD5

    e33af9e602cbb7ac3634c2608150dd18

  • SHA1

    8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe

  • SHA256

    8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

  • SHA512

    2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418

  • SSDEEP

    12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score
10/10
ardamaxdiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
    "C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\28463\DPBJ.exe
      "C:\Windows\system32\28463\DPBJ.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4936

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    smtp.mail.yahoo.com
    DPBJ.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.mail.yahoo.com
    IN A
    Response
    smtp.mail.yahoo.com
    IN CNAME
    smtp.mail.global.gm0.yahoodns.net
    smtp.mail.global.gm0.yahoodns.net
    IN A
    87.248.97.36
  • flag-us
    DNS
    smtp.mail.yahoo.com
    DPBJ.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.mail.yahoo.com
    IN A
  • flag-us
    DNS
    36.97.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    36.97.248.87.in-addr.arpa
    IN PTR
    Response
    36.97.248.87.in-addr.arpa
    IN PTR
    smtp-yahoo mail-prod1omegavipir2yahoocom
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    smtp.mail.yahoo.com
    DPBJ.exe
    Remote address:
    8.8.8.8:53
    Request
    smtp.mail.yahoo.com
    IN A
    Response
    smtp.mail.yahoo.com
    IN CNAME
    smtp.mail.global.gm0.yahoodns.net
    smtp.mail.global.gm0.yahoodns.net
    IN A
    87.248.97.36
  • flag-us
    DNS
    28.73.42.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.73.42.20.in-addr.arpa
    IN PTR
    Response
  • 87.248.97.36:587
    smtp.mail.yahoo.com
    smtp
    DPBJ.exe
    620 B
     762 B
     11
    10
  • 87.248.97.36:587
    smtp.mail.yahoo.com
    smtp
    DPBJ.exe
    833 B
     1.1kB
     16
    16
  • 87.248.97.36:587
    smtp.mail.yahoo.com
    smtp
    DPBJ.exe
    597 B
     854 B
     11
    12
  • 87.248.97.36:587
    smtp.mail.yahoo.com
    smtp
    DPBJ.exe
    793 B
     822 B
     15
    11
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    132 B
     90 B
     2
    1

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    146 B
     147 B
     2
    1

    DNS Request

    104.219.191.52.in-addr.arpa

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    smtp.mail.yahoo.com
    dns
    DPBJ.exe
    130 B
     128 B
     2
    1

    DNS Request

    smtp.mail.yahoo.com

    DNS Request

    smtp.mail.yahoo.com

    DNS Response

    87.248.97.36

  • 8.8.8.8:53
    36.97.248.87.in-addr.arpa
    dns
    71 B
     130 B
     1
    1

    DNS Request

    36.97.248.87.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    smtp.mail.yahoo.com
    dns
    DPBJ.exe
    65 B
     128 B
     1
    1

    DNS Request

    smtp.mail.yahoo.com

    DNS Response

    87.248.97.36

  • 8.8.8.8:53
    28.73.42.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    28.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\@6D41.tmp
    Filesize

    4KB

    MD5

    d73d89b1ea433724795b3d2b524f596c

    SHA1

    213514f48ece9f074266b122ee2d06e842871c8c

    SHA256

    8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

    SHA512

    8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

    Download Submit

  • C:\Windows\SysWOW64\28463\AKV.exe
    Filesize

    457KB

    MD5

    97eee85d1aebf93d5d9400cb4e9c771b

    SHA1

    26fa2bf5fce2d86b891ac0741a6999bff31397de

    SHA256

    30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

    SHA512

    8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

    Download Submit

  • C:\Windows\SysWOW64\28463\DPBJ.001
    Filesize

    492B

    MD5

    7a0f1fa20fd40c047b07379da5290f2b

    SHA1

    e0fb8305de6b661a747d849edb77d95959186fca

    SHA256

    b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

    SHA512

    bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

    Download Submit

  • C:\Windows\SysWOW64\28463\DPBJ.006
    Filesize

    8KB

    MD5

    35b24c473bdcdb4411e326c6c437e8ed

    SHA1

    ec1055365bc2a66e52de2d66d24d742863c1ce3d

    SHA256

    4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

    SHA512

    32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

    Download Submit

  • C:\Windows\SysWOW64\28463\DPBJ.007
    Filesize

    5KB

    MD5

    a8e19de6669e831956049685225058a8

    SHA1

    6d2546d49d92b18591ad4fedbc92626686e7e979

    SHA256

    34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

    SHA512

    5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

    Download Submit

  • C:\Windows\SysWOW64\28463\DPBJ.009
    Filesize

    1.6MB

    MD5

    deac29603c5a58e1a4e2f517c7d01a22

    SHA1

    dcd9ed875fc2dc181f267969e865de28ae9e5db2

    SHA256

    9749aaa2f91a15517cabd55244d3d274ec438c6dffcfa4160291ddab98953a5b

    SHA512

    8edfddcef8e5e4f2325bdd44dc6a712640771ec5a7eb7b1135f1532a84d199cc50cb1fba959d2fe0d05ff4821e0cf53f15e60764dbef24714350a086bc57c198

    Download Submit

  • C:\Windows\SysWOW64\28463\DPBJ.exe
    Filesize

    646KB

    MD5

    b863a9ac3bcdcde2fd7408944d5bf976

    SHA1

    4bd106cd9aefdf2b51f91079760855e04f73f3b0

    SHA256

    0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

    SHA512

    4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

    Download Submit

  • C:\Windows\SysWOW64\28463\Nov_25_2024__11_30_58.jpg
    Filesize

    120KB

    MD5

    8bac217286fab557936849454ffdc634

    SHA1

    75edd0317cd08f8f5fcbfe85db97f179e784f69a

    SHA256

    38b76ca296f5a6ed4270c1424c389ae070947a66f67ee5501964de840d722aa8

    SHA512

    09cc3feb342bfa3f1c42b164556dbe85377cbe5f2390ee8b039b42a55d01463e02347fb4115fd531aaf258d606d74afd5025a089c2f9500ca61465a5f54a71c3

    Download Submit

  • C:\Windows\SysWOW64\28463\key.bin
    Filesize

    106B

    MD5

    639d75ab6799987dff4f0cf79fa70c76

    SHA1

    be2678476d07f78bb81e8813c9ee2bfff7cc7efb

    SHA256

    fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

    SHA512

    4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

    Download Submit

  • memory/4936-39-0x00000000033B0000-0x00000000033B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-32-0x00000000033A0000-0x00000000033A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-28-0x0000000000C30000-0x0000000000C31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-27-0x0000000002520000-0x0000000002521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-26-0x0000000002560000-0x0000000002561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-25-0x0000000002540000-0x0000000002541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-24-0x0000000002550000-0x0000000002551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-23-0x0000000002500000-0x0000000002501000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-30-0x0000000003350000-0x0000000003353000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4936-31-0x00000000033A0000-0x00000000033A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-37-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-36-0x00000000004F0000-0x00000000004F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-38-0x0000000003370000-0x0000000003371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-29-0x0000000003360000-0x0000000003361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-33-0x00000000033A0000-0x00000000033A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-34-0x00000000033A0000-0x00000000033A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-35-0x00000000033A0000-0x00000000033A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-50-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/4936-53-0x0000000000B10000-0x0000000000B6A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4936-21-0x0000000000B10000-0x0000000000B6A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/4936-55-0x00000000033A0000-0x00000000033A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4936-20-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/4936-148-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/4936-295-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/4936-401-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/4936-515-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

  • memory/4936-784-0x0000000000400000-0x00000000004DF000-memory.dmp

    Filesize

    892KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.