ardamax | 13a9a83e4ec878108d47579ccd31dba1aef7c19914508fabc06de056f4ed9a49

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flash.exe
Size

2.7MB
MD5

68596193b287a9ff66b1406b2dbe2309
SHA1

30a1fcb6fdbcf1bee0f4213dd5321906b79c5536
SHA256

019fcd5f000365cb5b14ffaebce10edafa69ce0cb66637ed338de084a7fdd006
SHA512

7316aca68bd0f3891f5f5d8b154b9cfc477214c8941a0be008d7fd241c508bdb4bb1a81d92d66cc658144e4f3da6a29be6aa4293e1570786248bb1355bf7ba2b
SSDEEP

49152:29L+blz0SJWCxWBrg8B1wva4Hpjnt4a7szAFpQFYzK22LSJ282:2XC8B1r4Jrt48s8FpQHea

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d4f-21.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2248	Install.exe
2544	UTRN.exe
2872	FP_PL_~1.EXE

Loads dropped DLL 21 IoCs

pid	Process
3004	Flash.exe
2248	Install.exe
2248	Install.exe
2248	Install.exe
2248	Install.exe
2248	Install.exe
2544	UTRN.exe
2544	UTRN.exe
2544	UTRN.exe
2544	UTRN.exe
3004	Flash.exe
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE
2872	FP_PL_~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Flash.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UTRN Agent = "C:\\Windows\\SysWOW64\\28463\\UTRN.exe"	UTRN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\UTRN.001	Install.exe
File created	C:\Windows\SysWOW64\28463\UTRN.006	Install.exe
File created	C:\Windows\SysWOW64\28463\UTRN.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	UTRN.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll	FP_PL_~1.EXE
File created	C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_FlashUtil.exe	FP_PL_~1.EXE
File created	C:\Windows\SysWOW64\Macromed\Flash\flashplayer.xpt	FP_PL_~1.EXE
File created	C:\Windows\SysWOW64\28463\UTRN.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	FP_PL_~1.EXE
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe	FP_PL_~1.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UTRN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FP_PL_~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flash.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000015d81-40.dat	nsis_installer_1
behavioral1/files/0x0006000000017491-71.dat	nsis_installer_1

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2544	UTRN.exe
Token: SeIncBasePriorityPrivilege	2544	UTRN.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2544	UTRN.exe
2544	UTRN.exe
2544	UTRN.exe
2544	UTRN.exe
2544	UTRN.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2248	3004	Flash.exe	30
PID 3004 wrote to memory of 2248	3004	Flash.exe	30
PID 3004 wrote to memory of 2248	3004	Flash.exe	30
PID 3004 wrote to memory of 2248	3004	Flash.exe	30
PID 3004 wrote to memory of 2248	3004	Flash.exe	30
PID 3004 wrote to memory of 2248	3004	Flash.exe	30
PID 3004 wrote to memory of 2248	3004	Flash.exe	30
PID 2248 wrote to memory of 2544	2248	Install.exe	31
PID 2248 wrote to memory of 2544	2248	Install.exe	31
PID 2248 wrote to memory of 2544	2248	Install.exe	31
PID 2248 wrote to memory of 2544	2248	Install.exe	31
PID 2248 wrote to memory of 2544	2248	Install.exe	31
PID 2248 wrote to memory of 2544	2248	Install.exe	31
PID 2248 wrote to memory of 2544	2248	Install.exe	31
PID 3004 wrote to memory of 2872	3004	Flash.exe	32
PID 3004 wrote to memory of 2872	3004	Flash.exe	32
PID 3004 wrote to memory of 2872	3004	Flash.exe	32
PID 3004 wrote to memory of 2872	3004	Flash.exe	32
PID 3004 wrote to memory of 2872	3004	Flash.exe	32
PID 3004 wrote to memory of 2872	3004	Flash.exe	32
PID 3004 wrote to memory of 2872	3004	Flash.exe	32

C:\Users\Admin\AppData\Local\Temp\Flash.exe
"C:\Users\Admin\AppData\Local\Temp\Flash.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\28463\UTRN.exe
    "C:\Windows\system32\28463\UTRN.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FP_PL_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FP_PL_~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Windows\SysWOW64\28463\UTRN.001

Filesize
392B

MD5
7fe1838a26f90f229d2a1f6c12c4cce4

SHA1
7ee5449d4745642a24eb0838e4e8dbbb21c347a3

SHA256
b60eb4538249af2baecc816f4333ba4604305248a32ae4ddf8796d9a9098134e

SHA512
dc94abafa2da8b29f047735e90834d79fde455f8a5c832b52d67f331b663a3b1cb0f178bbfb88845af7ec30f00b8a26e54e2428d98d2e9a099e3df0a3d109a38

Download Submit
C:\Windows\SysWOW64\28463\UTRN.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\UTRN.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\uninstall_plugin.exe

Filesize
83KB

MD5
fdac33ad8581159d4aed755380268ded

SHA1
35c0ce663187e9f047845e3972efd93a9a2e91fb

SHA256
ff4f79d69c103d563db1bbe1939e21581e46c842e00d8f8afce8f7ae8023117d

SHA512
2e6728edd900f256e61abb99f9f8509d3cf1b098ee4984ceb21b414429c468f89c9787692068b4522f29fb293844c8af8ea8a5c99dbbbde9b2b857b0ee963769

Download Submit
\Users\Admin\AppData\Local\Temp\@A093.tmp

Filesize
4KB

MD5
a55cbc0f0125b005ef369020b4c17806

SHA1
010af3e2e84b337e91f5e0c791b01e1d527211ce

SHA256
27cfe74936e4090aafbef07ee45725923f4b1243135e1e3a51e3385dbcd7b637

SHA512
88e5f7905c86d73bc5af028f20c8bf49f700307926c5b92814c245abe08e9c35841116d428ddbd7b957b47ccc8980684c12608b6818e4b6c1c8c0d27d54a07be

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\FP_PL_~1.EXE

Filesize
1.8MB

MD5
2fb6513ba6ccb5d63ae6c3265570704d

SHA1
7d0709908162eddd1403401b8ce15cba68a477ee

SHA256
f158f44911146b61f0dea0851fb35cdc812f0786297ba11745fba32a4f8b06d2

SHA512
335d1dd7e5ac87be436550f7fbd1cb6387a68d377a756ec72f17aa31e10684c86fd989ed2b3d6829f31ce702dca7874ff29c01892e9c16745cff652feb81386f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
842KB

MD5
c03c9bdc7079d64be6e8cdb38d0bf7df

SHA1
b195669c7e75ba609a2f00e3572875a16b0643e9

SHA256
974d89a69f9a14835a041e9a44794c11d1c9b2e104a30961fad6e15ce0d1cb2c

SHA512
6adf5dc67a978af2610736e504d62e4b31b4649816998e1275848b76364a3b2b3a202d54a4929fedbed9f5fac8dca6699b960cf9a81fb86d6944884ab9a66bca

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA315.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA315.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA315.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
\Windows\SysWOW64\28463\UTRN.exe

Filesize
912KB

MD5
6768ba61744862704760b66ce8f8fdd4

SHA1
e86cbed8cf20c2a9c76219d0c434bc310ffb2392

SHA256
4cf4bf2b7d2bb4215e255e1f2b1238ad989f3c8a98ebfd5cb033bccf32fedaa0

SHA512
eadb56b633707724ef4f47f8b421b0f3b2afa5a9800fae030f81aefae483eed6b494da470278273f388c3ae346a33cbbfe742924d231dab1c9b42bbefaf95a61

Download Submit
memory/2248-27-0x0000000002920000-0x0000000002A03000-memory.dmp

Filesize
908KB

Download
memory/2544-39-0x00000000004F0000-0x00000000005D3000-memory.dmp

Filesize
908KB

Download
memory/2544-28-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/2544-94-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads