Analysis Overview
SHA256
f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525
Threat Level: Known bad
The file f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
Arkei
Arkei Stealer Payload
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-15 04:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-15 04:03
Reported
2022-01-15 04:05
Platform
win10v2004-en-20220112
Max time kernel
4265058s
Max time network
148s
Command Line
Signatures
Arkei
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3428 created 3016 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe |
Arkei Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotification.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotification.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\MusNotification.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\MusNotification.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3428 wrote to memory of 3016 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe |
| PID 3428 wrote to memory of 3016 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe
"C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3016 -ip 3016
C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 552
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 8.8.8.8:53 | slscr.update.microsoft.com | udp |
| IE | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | arc.msn.com | udp |
| US | 52.184.215.140:443 | arc.msn.com | tcp |
| US | 8.8.8.8:53 | fe3cr.delivery.mp.microsoft.com | udp |
| US | 8.8.8.8:53 | fe3cr.delivery.mp.microsoft.com | udp |
| IE | 20.54.89.15:443 | fe3cr.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | slscr.update.microsoft.com | udp |
| IE | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| BE | 67.27.153.131:80 | tcp | |
| IE | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
| US | 168.61.215.74:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | ris.api.iris.microsoft.com | udp |
| US | 52.252.42.28:443 | ris.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | img-prod-cms-rt-microsoft-com.akamaized.net | udp |
| FR | 2.22.22.218:443 | img-prod-cms-rt-microsoft-com.akamaized.net | tcp |
| IE | 20.54.89.106:443 | slscr.update.microsoft.com | tcp |
Files
memory/3016-130-0x000000000059E000-0x00000000005AF000-memory.dmp
memory/3016-132-0x0000000000400000-0x0000000000560000-memory.dmp
memory/3016-131-0x00000000022A0000-0x00000000022BC000-memory.dmp