arkei | 0e01d2215e00c2a03a93b72a13476c588fbd383d4367e3d85265969e65dff388

Analysis

max time kernel
140s
max time network
160s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52241b7a6707a79755e1386a26bce09c.exe
Size

502KB
MD5

52241b7a6707a79755e1386a26bce09c
SHA1

bd2f102d6f10cde689835418f213db6b0713c2cd
SHA256

0e01d2215e00c2a03a93b72a13476c588fbd383d4367e3d85265969e65dff388
SHA512

b4f781a8344d9db9ba3ee6d54c9a2c614a3b0699c05f527b1cfd22775613c8f902eb95553b7f3a56b8a1b5b6b7715b0491159d8bcc9dc712129512551d65ea05

Score

10^/10

arkei fickerstealer default discovery infostealer persistence spyware stealer suricata

Malware Config

Extracted

Family

fickerstealer

game2030.site:80

Extracted

Family

arkei

Botnet

Default

http://gurums.online/ggate.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
suricata: ET MALWARE Win32/Ficker Stealer Activity M3
suricata

Arkei Stealer Payload 7 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1634839813045.exe	family_arkei
C:\Users\Admin\AppData\Local\Temp\1634839813045.exe	family_arkei
\Users\Admin\AppData\Local\Temp\1634839813045.exe	family_arkei
C:\Users\Admin\AppData\Local\Temp\1634839813045.exe	family_arkei
\Users\Admin\AppData\Local\Temp\1634839813045.exe	family_arkei
\Users\Admin\AppData\Local\Temp\1634839813045.exe	family_arkei
\Users\Admin\AppData\Local\Temp\1634839813045.exe	family_arkei

Executes dropped EXE 3 IoCs

Processes:

1634839812951.exe1634839813045.exehvytube.exe

pid process

1956 1634839812951.exe
1936 1634839813045.exe
1764 hvytube.exe

pid	process
1956	1634839812951.exe
1936	1634839813045.exe
1764	hvytube.exe

Loads dropped DLL 7 IoCs

Processes:

52241b7a6707a79755e1386a26bce09c.exeWerFault.exe1634839812951.exe

pid	process
888	52241b7a6707a79755e1386a26bce09c.exe
888	52241b7a6707a79755e1386a26bce09c.exe
888	52241b7a6707a79755e1386a26bce09c.exe
1832	WerFault.exe
1832	WerFault.exe
1832	WerFault.exe
1956	1634839812951.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1634839812951.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVYtube = "C:\\Users\\Admin\\AppData\\Roaming\\HVYtube\\hvytube.exe"	1634839812951.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

52241b7a6707a79755e1386a26bce09c.exe

description pid process target process

PID 1880 set thread context of 888 1880 52241b7a6707a79755e1386a26bce09c.exe 52241b7a6707a79755e1386a26bce09c.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1832 1936 WerFault.exe 1634839813045.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 1880 set thread context of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe

pid	pid_target	process	target process
1832	1936	WerFault.exe	1634839813045.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

52241b7a6707a79755e1386a26bce09c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	52241b7a6707a79755e1386a26bce09c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	52241b7a6707a79755e1386a26bce09c.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hvytube.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	hvytube.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	hvytube.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	hvytube.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	hvytube.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	hvytube.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	hvytube.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

52241b7a6707a79755e1386a26bce09c.exeWerFault.exe

pid process

888 52241b7a6707a79755e1386a26bce09c.exe
1832 WerFault.exe
1832 WerFault.exe
1832 WerFault.exe
1832 WerFault.exe
1832 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1832 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exehvytube.exe

description pid process

Token: SeDebugPrivilege 1832 WerFault.exe
Token: SeDebugPrivilege 1764 hvytube.exe

pid	process
1832	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1832	WerFault.exe
Token: SeDebugPrivilege	1764	hvytube.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

52241b7a6707a79755e1386a26bce09c.exe52241b7a6707a79755e1386a26bce09c.exe1634839813045.exe1634839812951.exe

description	pid	process	target process
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 1880 wrote to memory of 888	1880	52241b7a6707a79755e1386a26bce09c.exe	52241b7a6707a79755e1386a26bce09c.exe
PID 888 wrote to memory of 1956	888	52241b7a6707a79755e1386a26bce09c.exe	1634839812951.exe
PID 888 wrote to memory of 1956	888	52241b7a6707a79755e1386a26bce09c.exe	1634839812951.exe
PID 888 wrote to memory of 1956	888	52241b7a6707a79755e1386a26bce09c.exe	1634839812951.exe
PID 888 wrote to memory of 1956	888	52241b7a6707a79755e1386a26bce09c.exe	1634839812951.exe
PID 888 wrote to memory of 1936	888	52241b7a6707a79755e1386a26bce09c.exe	1634839813045.exe
PID 888 wrote to memory of 1936	888	52241b7a6707a79755e1386a26bce09c.exe	1634839813045.exe
PID 888 wrote to memory of 1936	888	52241b7a6707a79755e1386a26bce09c.exe	1634839813045.exe
PID 888 wrote to memory of 1936	888	52241b7a6707a79755e1386a26bce09c.exe	1634839813045.exe
PID 1936 wrote to memory of 1832	1936	1634839813045.exe	WerFault.exe
PID 1936 wrote to memory of 1832	1936	1634839813045.exe	WerFault.exe
PID 1936 wrote to memory of 1832	1936	1634839813045.exe	WerFault.exe
PID 1936 wrote to memory of 1832	1936	1634839813045.exe	WerFault.exe
PID 1956 wrote to memory of 1764	1956	1634839812951.exe	hvytube.exe
PID 1956 wrote to memory of 1764	1956	1634839812951.exe	hvytube.exe
PID 1956 wrote to memory of 1764	1956	1634839812951.exe	hvytube.exe
PID 1956 wrote to memory of 1764	1956	1634839812951.exe	hvytube.exe

C:\Users\Admin\AppData\Local\Temp\52241b7a6707a79755e1386a26bce09c.exe
"C:\Users\Admin\AppData\Local\Temp\52241b7a6707a79755e1386a26bce09c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\52241b7a6707a79755e1386a26bce09c.exe
"C:\Users\Admin\AppData\Local\Temp\52241b7a6707a79755e1386a26bce09c.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\1634839812951.exe
"C:\Users\Admin\AppData\Local\Temp\1634839812951.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
"C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Users\Admin\AppData\Local\Temp\1634839813045.exe
"C:\Users\Admin\AppData\Local\Temp\1634839813045.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 760
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1634839812951.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634839812951.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634839813045.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
C:\Users\Admin\AppData\Local\Temp\1634839813045.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
C:\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
\Users\Admin\AppData\Local\Temp\1634839812951.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
\Users\Admin\AppData\Local\Temp\1634839813045.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\1634839813045.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\1634839813045.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\1634839813045.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Local\Temp\1634839813045.exe
MD5
4bb65548f890bed129c141c3c04fc8c4

SHA1
39257aa791e39dd40a79d1c33c35c30010a98e0d

SHA256
681dd3210d7550268f684628dd7946349ac3a97a6331c5567241a4caf4d7987c

SHA512
48cf64f34f25fb2bff641c54cc1a777c64f13890f0d4bb812758479ff876ae8a9d1edc6eb7da5ed0a1e5a22166bfe4366367d329bb65150d0430458447467587

Download Submit
\Users\Admin\AppData\Roaming\HVYtube\hvytube.exe
MD5
07c4277b0278cafddb023934c154cc56

SHA1
8fc547689272aa2f26e5721264d4260caae499c0

SHA256
9d8a5319cffb73b9a8fd90118e60a6e3cf632c44bf754566c00cd02123efadd8

SHA512
21276a78dfe0316fa7212791110d42971d3a9c6981be2ab33ac078d40782c0c2584d9695c0280617884922f99cb9a13b6106b9d78f0e61cd84627e04c0c10678

Download Submit
memory/888-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/888-57-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/888-56-0x0000000000401480-mapping.dmp

Download
memory/888-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1764-86-0x0000000005A20000-0x0000000005AF7000-memory.dmp

Filesize
860KB

Download
memory/1764-89-0x0000000002390000-0x0000000002395000-memory.dmp

Filesize
20KB

Download
memory/1764-95-0x00000000062E0000-0x0000000006380000-memory.dmp

Filesize
640KB

Download
memory/1764-94-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/1764-78-0x0000000000000000-mapping.dmp

Download
memory/1764-93-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1764-92-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1764-81-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1764-91-0x0000000005D00000-0x0000000005D8F000-memory.dmp

Filesize
572KB

Download
memory/1764-85-0x0000000000780000-0x0000000000786000-memory.dmp

Filesize
24KB

Download
memory/1764-90-0x0000000002400000-0x0000000002406000-memory.dmp

Filesize
24KB

Download
memory/1764-87-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1764-88-0x0000000006110000-0x00000000061CA000-memory.dmp

Filesize
744KB

Download
memory/1832-71-0x0000000000000000-mapping.dmp

Download
memory/1832-82-0x00000000003C0000-0x00000000003DB000-memory.dmp

Filesize
108KB

Download
memory/1880-54-0x00000000030BD000-0x00000000030E5000-memory.dmp

Filesize
160KB

Download
memory/1880-58-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download
memory/1936-65-0x0000000000000000-mapping.dmp

Download
memory/1956-61-0x0000000000000000-mapping.dmp

Download
memory/1956-69-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download