Analysis
-
max time kernel
4265058s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15/01/2022, 03:02
Static task
static1
General
-
Target
080d41ef097ff4647c9b7901ddc8fc3ffdb3c9cb0f360e3fe96a591a9f8089a6.exe
-
Size
321KB
-
MD5
6e523997cd54aed7677321782220c00c
-
SHA1
7cd2498ea34d7d80e41697e6adc2a07bb018acc0
-
SHA256
080d41ef097ff4647c9b7901ddc8fc3ffdb3c9cb0f360e3fe96a591a9f8089a6
-
SHA512
5d772e0618cf0583f3eae92391c003800d86562bf80bc9c6c456746449373038e058057a4d633ac69a609a6ef733cc672bdaefd3825c2a39e9f71d26cb678cb6
Malware Config
Extracted
Family
arkei
Botnet
Default
C2
http://file-file-host4.com/tratata.php
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3052 created 2144 3052 WerFault.exe 52 -
Arkei Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/2144-131-0x00000000007F0000-0x000000000080C000-memory.dmp family_arkei behavioral1/memory/2144-132-0x0000000000400000-0x0000000000560000-memory.dmp family_arkei -
Program crash 1 IoCs
pid pid_target Process procid_target 3100 2144 WerFault.exe 52 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3100 WerFault.exe 3100 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 616 MusNotification.exe Token: SeCreatePagefilePrivilege 616 MusNotification.exe Token: SeRestorePrivilege 3100 WerFault.exe Token: SeBackupPrivilege 3100 WerFault.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2144 3052 WerFault.exe 52 PID 3052 wrote to memory of 2144 3052 WerFault.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\080d41ef097ff4647c9b7901ddc8fc3ffdb3c9cb0f360e3fe96a591a9f8089a6.exe"C:\Users\Admin\AppData\Local\Temp\080d41ef097ff4647c9b7901ddc8fc3ffdb3c9cb0f360e3fe96a591a9f8089a6.exe"1⤵PID:2144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 5602⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2144 -ip 21441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3052