Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25-11-2024 11:30
General
-
Target
ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
-
Size
783KB
-
MD5
e33af9e602cbb7ac3634c2608150dd18
-
SHA1
8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
-
SHA256
8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
-
SHA512
2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
-
SSDEEP
12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/
Malware Config
Signatures
-
Ardamax
A keylogger first seen in 2013.
-
Ardamax family
-
Ardamax main executable 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 35 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\28463\DPBJ.exe"C:\Windows\system32\28463\DPBJ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5d73d89b1ea433724795b3d2b524f596c
SHA1213514f48ece9f074266b122ee2d06e842871c8c
SHA2568aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6
SHA5128b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41
-
Filesize
457KB
MD597eee85d1aebf93d5d9400cb4e9c771b
SHA126fa2bf5fce2d86b891ac0741a6999bff31397de
SHA25630df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24
SHA5128cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6
-
Filesize
492B
MD57a0f1fa20fd40c047b07379da5290f2b
SHA1e0fb8305de6b661a747d849edb77d95959186fca
SHA256b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6
SHA512bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346
-
Filesize
8KB
MD535b24c473bdcdb4411e326c6c437e8ed
SHA1ec1055365bc2a66e52de2d66d24d742863c1ce3d
SHA2564530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617
SHA51232722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de
-
Filesize
5KB
MD5a8e19de6669e831956049685225058a8
SHA16d2546d49d92b18591ad4fedbc92626686e7e979
SHA25634856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564
SHA5125c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8
-
Filesize
1.6MB
MD5deac29603c5a58e1a4e2f517c7d01a22
SHA1dcd9ed875fc2dc181f267969e865de28ae9e5db2
SHA2569749aaa2f91a15517cabd55244d3d274ec438c6dffcfa4160291ddab98953a5b
SHA5128edfddcef8e5e4f2325bdd44dc6a712640771ec5a7eb7b1135f1532a84d199cc50cb1fba959d2fe0d05ff4821e0cf53f15e60764dbef24714350a086bc57c198
-
Filesize
646KB
MD5b863a9ac3bcdcde2fd7408944d5bf976
SHA14bd106cd9aefdf2b51f91079760855e04f73f3b0
SHA2560fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0
SHA5124b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a
-
Filesize
120KB
MD58bac217286fab557936849454ffdc634
SHA175edd0317cd08f8f5fcbfe85db97f179e784f69a
SHA25638b76ca296f5a6ed4270c1424c389ae070947a66f67ee5501964de840d722aa8
SHA51209cc3feb342bfa3f1c42b164556dbe85377cbe5f2390ee8b039b42a55d01463e02347fb4115fd531aaf258d606d74afd5025a089c2f9500ca61465a5f54a71c3
-
Filesize
106B
MD5639d75ab6799987dff4f0cf79fa70c76
SHA1be2678476d07f78bb81e8813c9ee2bfff7cc7efb
SHA256fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98
SHA5124b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
892KB
-
Filesize
360KB
-
Filesize
360KB
-
Filesize
4KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
-
Filesize
892KB
