Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    17/01/2022, 08:46

General

  • Target

    f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe

  • Size

    279KB

  • MD5

    322662f080783dcbb75ccff43ca6543f

  • SHA1

    b723935d7dc52d0b1513cf13fabeab7203db247a

  • SHA256

    f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de

  • SHA512

    5909f29955b6b77613312d1cadb5304341ab6844755a14dbd4bbd52e9bc1ffa70a0f9585198ff77ee7e577dca0e9bb473df4298e582abde5b60842c2232c9895

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Arkei Stealer Payload 2 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe
    "C:\Users\Admin\AppData\Local\Temp\f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:2608

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2848-116-0x00000000022F0000-0x000000000230C000-memory.dmp

          Filesize

          112KB

        • memory/2848-117-0x0000000000400000-0x00000000005D0000-memory.dmp

          Filesize

          1.8MB