ardamax | 53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fc

General

Target

53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe
Size

2.2MB
MD5

3368e5f66d6845cc96b2dca65f1e7780
SHA1

3da4fab790347189644fba012eee8dd8cd9882d5
SHA256

53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fc
SHA512

6fcd4ee3ad3ca01954c2b4f2c0ca99ed46c7b551bcc19c59e0634f49bcea2851d2e761d7084e4c3dd5485f9fc2a0a21835e87d1328888eb5831d201fd01d8fa5
SSDEEP

49152:u6Wy2byz0EQgrMAqOTbCErGgeVAzT+HC7dLZFWeX+:BWyq40ZoUOTybVmOC5hX

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WQD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	WQD.exe

Loads dropped DLL 2 IoCs

pid	Process
5012	WQD.exe
5012	WQD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WQD Start = "C:\\ProgramData\\ESKSDU\\WQD.exe"	WQD.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WQD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	WQD.exe
5012	WQD.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5012	WQD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5012	WQD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5012	WQD.exe
5012	WQD.exe
5012	WQD.exe
5012	WQD.exe
5012	WQD.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 5012	1432	53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe	83
PID 1432 wrote to memory of 5012	1432	53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe	83
PID 1432 wrote to memory of 5012	1432	53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe	83
PID 5012 wrote to memory of 1716	5012	WQD.exe	101
PID 5012 wrote to memory of 1716	5012	WQD.exe	101
PID 5012 wrote to memory of 1716	5012	WQD.exe	101

C:\Users\Admin\AppData\Local\Temp\53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe
"C:\Users\Admin\AppData\Local\Temp\53430ebab6b89325c5a407342a7f9f22d85850fdd30df80daf1ea68fc0a407fcN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1432
- C:\ProgramData\ESKSDU\WQD.exe
  "C:\ProgramData\ESKSDU\WQD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~3\ESKSDU\WQD.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ESKSDU\WQD.00

Filesize
2KB

MD5
91c5c31d240a797f668422badb64b40f

SHA1
22759b939c0706ac0d059abfd514ddb8700af8c8

SHA256
f2e66026cd23eaf605aab23880931f96fabdbf354552aa5deaa68b1137c6e199

SHA512
d8e04a746f4d137cfc8fbdb60cb4b63c3dbcb2d9f015c085c398f873923520d9794f99c74ea4f6a9736c0d848caf4472e070f9034eafe6ecd37aa7534ecb8c08

Download Submit
C:\ProgramData\ESKSDU\WQD.01

Filesize
79KB

MD5
5c3284d6f7c08908d5b7a8d8f862836a

SHA1
07a7f242ab34b864db7d2a3c1d259e85bd39db7d

SHA256
049f3bc323b3219c9b99255a4b170dd5b9d89369a539d74d3a4a9cd125d93a4c

SHA512
7fac2fcf19d76a78b1fd81e61035f4a3950ba6609d550f62054c37cc8faa2a871e566c49c64edb733557f1bf8cc5a43fcdc7dfb6fe9e03b049254f4a24542cbb

Download Submit
C:\ProgramData\ESKSDU\WQD.02

Filesize
54KB

MD5
df99d06b2e6614303a21bfb4b93a6b32

SHA1
2bf4c3e0e5ab3fd51c52d569f76c9b30f0e4a416

SHA256
4734ddf1600ad2957821c90bc9b67da3fab94dad6e6c90d47b656da8fad6c35c

SHA512
8ba323ce7c65d977049dd1758266ddd1545e12f8dda594a948a17c5610b057bec4ca69e450c742bf94a00a1fedda8ef3969baa9c142b93cacb838ffd979f39e7

Download Submit
C:\ProgramData\ESKSDU\WQD.exe

Filesize
2.6MB

MD5
29249516d7ec5a5fa4b37f2eab0db6a6

SHA1
9a87069dc06a65016ffe71c357f29a200be3ec0d

SHA256
4783503716d78d1c7ef3b4d1fd44b60d97aa0f52fb4c6b465e258425236b41a8

SHA512
7274d2de711b4878d409d2d847313fa7dea614109971c879851d66d310e443aab6635384e78d0c34f85c3124fa820aa8ea19636ba56736181b854f4061809991

Download Submit
memory/5012-14-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/5012-18-0x0000000002B00000-0x0000000002B19000-memory.dmp

Filesize
100KB

Download
memory/5012-19-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/5012-21-0x0000000073570000-0x0000000073581000-memory.dmp

Filesize
68KB

Download
memory/5012-22-0x0000000073560000-0x000000007356F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads