Analysis

  • max time kernel
    4265058s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    17/01/2022, 11:00

General

  • Target

    7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe

  • Size

    335KB

  • MD5

    7a2d70556ffabb1735009b8dd26dff84

  • SHA1

    5cb5e9a85d27c5d0eb40d1b7b230aeef0d167df5

  • SHA256

    7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624

  • SHA512

    97df75afb48dd920f523d0415ebd2c7c9f1d91c67c767ca31f66fa0ea99cf76525b605264ef6ede30a5306df80b01fe54bbaab71273d788e0e345678635dc5c0

Malware Config

Extracted

Family

arkei

Botnet

homesteadr

C2

http://homesteadr.link/ggate.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Arkei Stealer Payload 2 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe
    "C:\Users\Admin\AppData\Local\Temp\7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7adc964978fc6d07051540dce92572970ce1564f239bbefcdf823ae6b00d8624.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:3556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 1412
      2⤵
      • Program crash
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
  • C:\Windows\system32\MusNotification.exe
    C:\Windows\system32\MusNotification.exe
    1⤵
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:4060
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2712 -ip 2712
    1⤵
    • Suspicious use of NtCreateProcessExOtherParentProcess
    • Suspicious use of WriteProcessMemory
    PID:3580

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2712-130-0x00000000007F8000-0x0000000000809000-memory.dmp

          Filesize

          68KB

        • memory/2712-132-0x0000000000400000-0x00000000005DC000-memory.dmp

          Filesize

          1.9MB

        • memory/2712-131-0x0000000000780000-0x000000000079C000-memory.dmp

          Filesize

          112KB