Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
17/01/2022, 08:46
Static task
static1
General
-
Target
f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe
-
Size
279KB
-
MD5
322662f080783dcbb75ccff43ca6543f
-
SHA1
b723935d7dc52d0b1513cf13fabeab7203db247a
-
SHA256
f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de
-
SHA512
5909f29955b6b77613312d1cadb5304341ab6844755a14dbd4bbd52e9bc1ffa70a0f9585198ff77ee7e577dca0e9bb473df4298e582abde5b60842c2232c9895
Malware Config
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Signatures
-
Arkei Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/2848-116-0x00000000022F0000-0x000000000230C000-memory.dmp family_arkei behavioral1/memory/2848-117-0x0000000000400000-0x00000000005D0000-memory.dmp family_arkei -
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 2848 f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe 2848 f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe 2848 f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2608 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2848 wrote to memory of 816 2848 f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe 69 PID 2848 wrote to memory of 816 2848 f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe 69 PID 2848 wrote to memory of 816 2848 f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe 69 PID 816 wrote to memory of 2608 816 cmd.exe 71 PID 816 wrote to memory of 2608 816 cmd.exe 71 PID 816 wrote to memory of 2608 816 cmd.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe"C:\Users\Admin\AppData\Local\Temp\f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f8f3a30f2e20482b95fcb7424ede443d2b4dd31ce6b4bdee484d01c2af5000de.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2608
-
-