Overview

overview

10

Static

static

adc5d511e5...a0.exe

windows7_x64

10

adc5d511e5...a0.exe

windows10_x64

10

Resubmissions

28-01-2022 14:50

220128-r73frsfcf5 10

27-01-2022 15:42

220127-s5sn8affd5 10

Analysis

  • max time kernel
    42s
  • max time network
    48s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 15:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adc5d511e576888aaed5f7e13b6df04f1b733e034bf34344be1dc0e6286dc5a0.exe

  • Size

    350KB

  • MD5

    b55890d016a3e0c6e7f4ba2e49ab7e43

  • SHA1

    8e1565a321d0630957bc65e0bdaae59b6a3671b7

  • SHA256

    adc5d511e576888aaed5f7e13b6df04f1b733e034bf34344be1dc0e6286dc5a0

  • SHA512

    42876920445bccf5d32cb2be28ac546dd45cbce0ef1616b1800f5cd97a93c47bd27eafb619ccbab82b38a3707019210101fd989b20615c2f247c762671904f50

Score
10/10
arkeidefaultpersistencespywarestealer

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

http://coin-file-file-19.com/tratata.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Arkei Stealer Payload 1 IoCs
    stealer
  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 17 IoCs
    adwarespyware
  • Modifies registry class 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 59 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adc5d511e576888aaed5f7e13b6df04f1b733e034bf34344be1dc0e6286dc5a0.exe
    "C:\Users\Admin\AppData\Local\Temp\adc5d511e576888aaed5f7e13b6df04f1b733e034bf34344be1dc0e6286dc5a0.exe"
    1⤵
    • Loads dropped DLL
    PID:3692
  • C:\Windows\system32\werfault.exe
    werfault.exe /h /shared Global\f885efd05d054c249350693c1b7ee898 /t 2420 /p 2364
    1⤵
      PID:3584
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3200
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3200 CREDAT:82945 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:3620
    • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
      "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
      1⤵
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:3556
    • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
      1⤵
      • Drops file in Windows directory
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:392

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \ProgramData\sqlite3.dll
      MD5

      e477a96c8f2b18d6b5c27bde49c990bf

      SHA1

      e980c9bf41330d1e5bd04556db4646a0210f7409

      SHA256

      16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

      SHA512

      335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

      Download Submit
    • memory/3692-130-0x0000000000530000-0x0000000000541000-memory.dmp
      Filesize

      68KB

      Download
    • memory/3692-131-0x0000000000570000-0x00000000006BA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3692-132-0x0000000000400000-0x000000000045F000-memory.dmp
      Filesize

      380KB

      Download