Malware Analysis Report

2025-08-10 19:08

Sample ID 220115-emg8wacgbl
Target f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525
SHA256 f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525
Tags
arkei default stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525

Threat Level: Known bad

The file f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525 was found to be: Known bad.

Malicious Activity Summary

arkei default stealer

Suspicious use of NtCreateProcessExOtherParentProcess

Arkei

Arkei Stealer Payload

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-15 04:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-15 04:03

Reported

2022-01-15 04:05

Platform

win10v2004-en-20220112

Max time kernel

4265058s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe"

Signatures

Arkei

stealer arkei

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 3428 created 3016 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe

Arkei Stealer Payload

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotification.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotification.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\MusNotification.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\MusNotification.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe

"C:\Users\Admin\AppData\Local\Temp\f1ff0817cd12a7c79fe812becb7c34fbf07548b70d2e64485517f82971ff0525.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3016 -ip 3016

C:\Windows\system32\MusNotification.exe

C:\Windows\system32\MusNotification.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 552

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
US 8.8.8.8:53 slscr.update.microsoft.com udp
IE 20.54.89.106:443 slscr.update.microsoft.com tcp
US 8.8.8.8:53 arc.msn.com udp
US 52.184.215.140:443 arc.msn.com tcp
US 8.8.8.8:53 fe3cr.delivery.mp.microsoft.com udp
US 8.8.8.8:53 fe3cr.delivery.mp.microsoft.com udp
IE 20.54.89.15:443 fe3cr.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 slscr.update.microsoft.com udp
IE 20.54.89.106:443 slscr.update.microsoft.com tcp
BE 67.27.153.131:80 tcp
IE 20.54.89.106:443 slscr.update.microsoft.com tcp
US 168.61.215.74:123 time.windows.com udp
US 8.8.8.8:53 ris.api.iris.microsoft.com udp
US 52.252.42.28:443 ris.api.iris.microsoft.com tcp
US 8.8.8.8:53 img-prod-cms-rt-microsoft-com.akamaized.net udp
FR 2.22.22.218:443 img-prod-cms-rt-microsoft-com.akamaized.net tcp
IE 20.54.89.106:443 slscr.update.microsoft.com tcp

Files

memory/3016-130-0x000000000059E000-0x00000000005AF000-memory.dmp

memory/3016-132-0x0000000000400000-0x0000000000560000-memory.dmp

memory/3016-131-0x00000000022A0000-0x00000000022BC000-memory.dmp