ardamax | 7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b

General

Target

7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe
Size

2.2MB
MD5

633c463311eb4a590d90529c539176e8
SHA1

535dc27cb5a63a308875510348ffc32f21ac5512
SHA256

7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b
SHA512

de5c181ae9ea388306c24e998699ae5b764f1fbcf01f7d46137e8599835cc3905c26366f9775c61d64b6a2f73fa7c1e8db875e8f0dd2555430cd7bf04d02a68d
SSDEEP

49152:u6Wy2byz0EQgrMAqOTbCErGgeVAzT+HC7dLZFWeX++:BWyq40ZoUOTybVmOC5hXt

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Executes dropped EXE 1 IoCs

pid	Process
400	WQD.exe

Loads dropped DLL 2 IoCs

pid	Process
1268	7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe
400	WQD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WQD Start = "C:\\ProgramData\\ESKSDU\\WQD.exe"	WQD.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WQD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
400	WQD.exe
400	WQD.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
400	WQD.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	400	WQD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
400	WQD.exe
400	WQD.exe
400	WQD.exe
400	WQD.exe
400	WQD.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 400	1268	7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe	31
PID 1268 wrote to memory of 400	1268	7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe	31
PID 1268 wrote to memory of 400	1268	7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe	31
PID 1268 wrote to memory of 400	1268	7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe	31
PID 400 wrote to memory of 2748	400	WQD.exe	32
PID 400 wrote to memory of 2748	400	WQD.exe	32
PID 400 wrote to memory of 2748	400	WQD.exe	32
PID 400 wrote to memory of 2748	400	WQD.exe	32

C:\Users\Admin\AppData\Local\Temp\7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe
"C:\Users\Admin\AppData\Local\Temp\7924a11f764e1c25543361654f782770761869291e04a04f1fb31e15cdf0ef7b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268
- C:\ProgramData\ESKSDU\WQD.exe
  "C:\ProgramData\ESKSDU\WQD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\PROGRA~3\ESKSDU\WQD.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ESKSDU\WQD.00

Filesize
2KB

MD5
91c5c31d240a797f668422badb64b40f

SHA1
22759b939c0706ac0d059abfd514ddb8700af8c8

SHA256
f2e66026cd23eaf605aab23880931f96fabdbf354552aa5deaa68b1137c6e199

SHA512
d8e04a746f4d137cfc8fbdb60cb4b63c3dbcb2d9f015c085c398f873923520d9794f99c74ea4f6a9736c0d848caf4472e070f9034eafe6ecd37aa7534ecb8c08

Download Submit
C:\ProgramData\ESKSDU\WQD.01

Filesize
79KB

MD5
5c3284d6f7c08908d5b7a8d8f862836a

SHA1
07a7f242ab34b864db7d2a3c1d259e85bd39db7d

SHA256
049f3bc323b3219c9b99255a4b170dd5b9d89369a539d74d3a4a9cd125d93a4c

SHA512
7fac2fcf19d76a78b1fd81e61035f4a3950ba6609d550f62054c37cc8faa2a871e566c49c64edb733557f1bf8cc5a43fcdc7dfb6fe9e03b049254f4a24542cbb

Download Submit
C:\ProgramData\ESKSDU\WQD.02

Filesize
54KB

MD5
df99d06b2e6614303a21bfb4b93a6b32

SHA1
2bf4c3e0e5ab3fd51c52d569f76c9b30f0e4a416

SHA256
4734ddf1600ad2957821c90bc9b67da3fab94dad6e6c90d47b656da8fad6c35c

SHA512
8ba323ce7c65d977049dd1758266ddd1545e12f8dda594a948a17c5610b057bec4ca69e450c742bf94a00a1fedda8ef3969baa9c142b93cacb838ffd979f39e7

Download Submit
\ProgramData\ESKSDU\WQD.exe

Filesize
2.6MB

MD5
29249516d7ec5a5fa4b37f2eab0db6a6

SHA1
9a87069dc06a65016ffe71c357f29a200be3ec0d

SHA256
4783503716d78d1c7ef3b4d1fd44b60d97aa0f52fb4c6b465e258425236b41a8

SHA512
7274d2de711b4878d409d2d847313fa7dea614109971c879851d66d310e443aab6635384e78d0c34f85c3124fa820aa8ea19636ba56736181b854f4061809991

Download Submit
memory/400-11-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/400-14-0x0000000000990000-0x00000000009A9000-memory.dmp

Filesize
100KB

Download
memory/400-15-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads