arkei | c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14

Analysis

max time kernel
135s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
27-03-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe
Size

8.2MB
MD5

478e874435babd1f3e3d9c382c3f868b
SHA1

9e8fccdfb2400cd286cfb8e9a7e2c4e4b932892c
SHA256

c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14
SHA512

23cbf711d51221989f7b344c523f3b0206bef562d3d7d0c2681c39eda515a292a3db5265ee9430f854561ad97412ceea4b5ec6c636e8d67c985c6042251e975c

Score

10^/10

arkei babadeda default crypter link loader pdf stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

http://tommytshop.com/KNOuG8qeID.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e987-152.dat	family_babadeda
behavioral2/memory/2816-158-0x0000000005620000-0x000000000A720000-memory.dmp	family_babadeda

Executes dropped EXE 4 IoCs

pid	Process
1136	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
4876	IsCabView.exe
2816	topoedit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Loads dropped DLL 3 IoCs

pid	Process
2816	topoedit.exe
2816	topoedit.exe
2816	topoedit.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x000300000001e987-152.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Detects BABADEDA Crypter 2 IoCs

Detects BABADEDA Crypter.

resource	yara_rule
behavioral2/files/0x000300000001e987-152.dat	BABADEDA_Crypter
behavioral2/memory/2816-158-0x0000000005620000-0x000000000A720000-memory.dmp	BABADEDA_Crypter

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2816	topoedit.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 1136	384	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	78
PID 384 wrote to memory of 1136	384	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	78
PID 384 wrote to memory of 1136	384	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	78
PID 1136 wrote to memory of 1400	1136	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	79
PID 1136 wrote to memory of 1400	1136	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	79
PID 1136 wrote to memory of 1400	1136	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	79
PID 1400 wrote to memory of 1704	1400	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	80
PID 1400 wrote to memory of 1704	1400	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	80
PID 1400 wrote to memory of 1704	1400	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe	80
PID 1704 wrote to memory of 4876	1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	89
PID 1704 wrote to memory of 4876	1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	89
PID 1704 wrote to memory of 4876	1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	89
PID 1704 wrote to memory of 2816	1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	90
PID 1704 wrote to memory of 2816	1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	90
PID 1704 wrote to memory of 2816	1704	c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp	90

C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe
"C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:384
- C:\Users\Admin\AppData\Local\Temp\is-TUS8V.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TUS8V.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp" /SL5="$201D4,7739299,780800,C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe
    "C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\is-P39HK.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-P39HK.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp" /SL5="$301E4,7739299,780800,C:\Users\Admin\AppData\Local\Temp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Users\Admin\AppData\Roaming\Directory Monitor\IsCabView.exe
        
        "C:\Users\Admin\AppData\Roaming\Directory Monitor\IsCabView.exe"
        5⤵
        Executes dropped EXE
        
        PID:4876
    - - C:\Users\Admin\AppData\Roaming\Directory Monitor\topoedit.exe
        
        "C:\Users\Admin\AppData\Roaming\Directory Monitor\topoedit.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-P39HK.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Filesize
3.0MB

MD5
2193a48f602050074f8c3b779d7ff4d1

SHA1
33ce1181833b2f8009213d3237ccab96d8c27594

SHA256
bf7e946ca708f8ee4815dbb2347f9067fb0e564127b4864c4b6f6bb13a091fa8

SHA512
14d9078972dc5ac9a9621e869568427c02772e60714e11b8864dea37dd2760b32d74ffe870312aa064491962bbbb354850e6fef18666c6fde6556e4f163afe91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TUS8V.tmp\c48e5a61fd89ac5e950a37e1d81d2f733c16983d369dbedbb3a0c3e8c97f7b14.tmp

Filesize
3.0MB

MD5
2193a48f602050074f8c3b779d7ff4d1

SHA1
33ce1181833b2f8009213d3237ccab96d8c27594

SHA256
bf7e946ca708f8ee4815dbb2347f9067fb0e564127b4864c4b6f6bb13a091fa8

SHA512
14d9078972dc5ac9a9621e869568427c02772e60714e11b8864dea37dd2760b32d74ffe870312aa064491962bbbb354850e6fef18666c6fde6556e4f163afe91

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\IsCabView.exe

Filesize
1.5MB

MD5
e98f599801e6dd5e652f830591be9438

SHA1
f3237ac703649c23e3eb3482fb0ac932d3c61801

SHA256
7c0c00d7fe55cce5cc4deb15948eab7d69d61344c432aaaff168f1f15f69d78e

SHA512
a1f12328e84b4bfabcf51dfac26e7a78cd598ef3aac5decfeedd5f032680b661054a1615870aec7e94b2d9e34eb6a656cf14b166e115cb18988f6424ff215706

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\IsCabView.exe

Filesize
1.5MB

MD5
e98f599801e6dd5e652f830591be9438

SHA1
f3237ac703649c23e3eb3482fb0ac932d3c61801

SHA256
7c0c00d7fe55cce5cc4deb15948eab7d69d61344c432aaaff168f1f15f69d78e

SHA512
a1f12328e84b4bfabcf51dfac26e7a78cd598ef3aac5decfeedd5f032680b661054a1615870aec7e94b2d9e34eb6a656cf14b166e115cb18988f6424ff215706

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\lg.inf

Filesize
449KB

MD5
d742f9c974d943044691dae4ab465cf0

SHA1
750a85968f14c5eb92ca00179207a09d20582ef4

SHA256
0734bd6737bd8af44a017b6d470faf5915fdffb9fb871f64ca1d16f0daa48cc9

SHA512
c3c6d752821424ab6dd6c13b21bc2ff6a44df3c64f2e75fa2b8b9ffac403407d6cbfe0f910b2511ebb0255c18b87f27bbbdb4e5577992c68130d72004a72e60d

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\libfdesk3.dll

Filesize
5.9MB

MD5
483a3faef5588ede7df2abad9a89a5ab

SHA1
535dd334b57d75dcb4bff8319f9a5633c3cc4ad9

SHA256
f8a4af123951ce3043bd72f951abc4625552a08a5ec00f04221bca2b66546634

SHA512
5eff508a028d38092e779baec165ae76ba8aedb54847481408452d3da9b3c9a347e66d454d12f06793d3540b72475fe9a620a691aa31d3e4ced69889b29d4dc3

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\libfdesk3.dll

Filesize
5.9MB

MD5
483a3faef5588ede7df2abad9a89a5ab

SHA1
535dd334b57d75dcb4bff8319f9a5633c3cc4ad9

SHA256
f8a4af123951ce3043bd72f951abc4625552a08a5ec00f04221bca2b66546634

SHA512
5eff508a028d38092e779baec165ae76ba8aedb54847481408452d3da9b3c9a347e66d454d12f06793d3540b72475fe9a620a691aa31d3e4ced69889b29d4dc3

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\tedutil.dll

Filesize
219KB

MD5
04b1e2f643b1ea90af92c6bd56f81051

SHA1
f848094bfcc914180f91b22a5decb65e5d1e5dea

SHA256
f1eccf13c8bd3826a894d61b0bf415ee3a667b00dc0359c59376f4fc39ac9072

SHA512
092728adf124c422495dd983e258f1a454ce550b2cace073cceb501128e661b39ef8392d73d5d8989707fd9372b4cde6e9d320a5069f335d7c258ac14c159ce0

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\tedutil.dll

Filesize
219KB

MD5
04b1e2f643b1ea90af92c6bd56f81051

SHA1
f848094bfcc914180f91b22a5decb65e5d1e5dea

SHA256
f1eccf13c8bd3826a894d61b0bf415ee3a667b00dc0359c59376f4fc39ac9072

SHA512
092728adf124c422495dd983e258f1a454ce550b2cace073cceb501128e661b39ef8392d73d5d8989707fd9372b4cde6e9d320a5069f335d7c258ac14c159ce0

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\topoedit.exe

Filesize
151KB

MD5
d80a26a6547ce365a0645ba639be43f2

SHA1
4854e4b492254c2c980f6cd8875bdf55edfec7f5

SHA256
a6edd9c0456423e561259f434ad4cab6d61ad7ff6bab80bbc13a0a72de410430

SHA512
fd0e20c24becaecc32ceb789ed1fc9d31bdbdc2cb565c09a444678e6ba738561a4eb22cb5946180945f38ec71e82c11b0356ca1c226b2d6aa99e18cc0120f9fb

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\uimaster.dll

Filesize
224KB

MD5
9bb86a9242c1b32990f0c66dd027e501

SHA1
f2039534f449771474daf6732641b59177757841

SHA256
99074a147541dd8429a0c4cc82962f23a4bb025d3cd8e4e0d732fd9edc34cc91

SHA512
544eb21ee12dd6d18aeebc52a096496a3868e3d6c477c1b77ffbcd83446e568cfaa4eebaf04d1d12f7e54f609e873d2428a1d3079313297279d4b08cc1ab433c

Download Submit
C:\Users\Admin\AppData\Roaming\Directory Monitor\uimaster.dll

Filesize
224KB

MD5
9bb86a9242c1b32990f0c66dd027e501

SHA1
f2039534f449771474daf6732641b59177757841

SHA256
99074a147541dd8429a0c4cc82962f23a4bb025d3cd8e4e0d732fd9edc34cc91

SHA512
544eb21ee12dd6d18aeebc52a096496a3868e3d6c477c1b77ffbcd83446e568cfaa4eebaf04d1d12f7e54f609e873d2428a1d3079313297279d4b08cc1ab433c

Download Submit
memory/384-130-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/384-132-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1400-140-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1400-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2816-153-0x000000000A720000-0x000000000A74E000-memory.dmp

Filesize
184KB

Download
memory/2816-158-0x0000000005620000-0x000000000A720000-memory.dmp

Filesize
81.0MB

Download