ardamax | 99e10e5b9cb36d1c54816ef6ce4359663b47c110a194d3498f23deb53916ca0d

General

Target

Install.exe
Size

1.1MB
MD5

ade23339d6c324d78c73ffc160db7095
SHA1

5bb57a3e4fa5f89987de193069e613684d20c17c
SHA256

4e4e83cec2a9816b3aa530d8f6cc58ba7433dd437265fcc67b0925859b295732
SHA512

b7615ab01b1bec22fa0e488b50287cfe0d8f698bd8f83823825a2740421baf0359773d9d3b622f4f2e4bc4c8c04da6a6faf9dd65e6539416ef98c91e83480399
SSDEEP

24576:MSE1TN+ewFToPILS5Jh6iUkieaaUpTRksTBqyI7PWZcygx0r9Mt6g:MSYTTwywLWD6ivirtnBqPWZzgWr06

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c99-8.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	TAW.exe

Executes dropped EXE 1 IoCs

pid	Process
4448	TAW.exe

Loads dropped DLL 1 IoCs

pid	Process
4448	TAW.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TAW Start = "C:\\Windows\\SysWOW64\\PVSLCH\\TAW.exe"	TAW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PVSLCH\TAW.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\PVSLCH\	TAW.exe
File created	C:\Windows\SysWOW64\PVSLCH\TAW.004	Install.exe
File created	C:\Windows\SysWOW64\PVSLCH\TAW.001	Install.exe
File created	C:\Windows\SysWOW64\PVSLCH\TAW.002	Install.exe
File created	C:\Windows\SysWOW64\PVSLCH\AKV.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TAW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4448	TAW.exe
Token: SeIncBasePriorityPrivilege	4448	TAW.exe
Token: SeIncBasePriorityPrivilege	4448	TAW.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4448	TAW.exe
4448	TAW.exe
4448	TAW.exe
4448	TAW.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4448	3044	Install.exe	82
PID 3044 wrote to memory of 4448	3044	Install.exe	82
PID 3044 wrote to memory of 4448	3044	Install.exe	82
PID 4448 wrote to memory of 3736	4448	TAW.exe	92
PID 4448 wrote to memory of 3736	4448	TAW.exe	92
PID 4448 wrote to memory of 3736	4448	TAW.exe	92

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\PVSLCH\TAW.exe
  "C:\Windows\system32\PVSLCH\TAW.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\PVSLCH\TAW.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PVSLCH\AKV.exe

Filesize
456KB

MD5
a626ea63014bb99b64c76f9170e91370

SHA1
62ceedb9dcc073d0ecefe5b741724c601ada5d9b

SHA256
248fd5fa06f81efb5d66d1be594dc01c6fb13f15aac9fd3d35a471838c21b851

SHA512
2d37163927d00e67ca242eec32ddf84dc7e298320b6c628d0e6e5a885152a70dfb575bc1a6f2765d91fdee8735dd3841edffd91ad7ed9195ffc0ae7bcd01238c

Download Submit
C:\Windows\SysWOW64\PVSLCH\TAW.001

Filesize
61KB

MD5
9c4ffd88e48548e4d16312bd91c317a9

SHA1
0e7bf403d4803af625576c71e9dc6c0534e84984

SHA256
2776e8682161ef789546837ff0d8bc2aa828f93409b9fd37f534b5ae72818040

SHA512
db95e1ac45b0c64fd0f5a3e74b8a9096afa2538035651551c48457aefdaa18d747c11f56aa4506ea71e2619307ec79c92998d8fa9ef29cb7d5fb840435172fb0

Download Submit
C:\Windows\SysWOW64\PVSLCH\TAW.002

Filesize
43KB

MD5
7fd0b22a5c7360208b6861ee9d219d55

SHA1
6147665d86d49605d2ffc37950a16836b269d1b9

SHA256
bd7adf27da25406c9714536bf5724875a5d753ea8269df537ff4c0ac295b48c0

SHA512
23ab4b7609ba522652d6ff1e3b0e52d5e0c8d01150e3bcc4133133b724d7b22d4e4834b338e865c62df5959b76ed92194018cec1d73e17359116ba177f016704

Download Submit
C:\Windows\SysWOW64\PVSLCH\TAW.004

Filesize
1KB

MD5
ba38d55f92699a85bfa2c269108a48fe

SHA1
ecf740972274448c8338934d1a8940eec086db8d

SHA256
92646cfe42afd2e4aad2928fc25e002215886eb7c115d43999973125a491021f

SHA512
c11df9a9919439939519230182ff74448f52cdd18bec77c2cf53c032986450447f74e2df103105044da25edc8b36f1a7a0a379c414194b86e4f3f5b5260827f2

Download Submit
C:\Windows\SysWOW64\PVSLCH\TAW.exe

Filesize
1.7MB

MD5
6192c0937d2475353ab65739bd44140d

SHA1
a8b2ae6b5ee330e815d052a0601224cbd5eaf07a

SHA256
bf73c24bd79abbcc4596dd8ec6a40b5b763a4006bcbe525b6680d5915055a0c6

SHA512
cb5c821dee9a626376629f8b3ce8348ab0e9e26e494df44dfc2a0996a06ba6e86c3e1cb9b58961159c14eb97e6224aadb499bcbbf05fe7ecdef0ebb33bce2f55

Download Submit
memory/4448-16-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/4448-18-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads