arkei | 7b14a38b8ab88532170f6d6abac22a6b170d5bd8c7fa2c1301479184854a9124

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
30-03-2022 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe
Size

11.0MB
MD5

9ad2a9a60994ff956e0dd4678b3ef9f1
SHA1

ab7d7ec8ef3893bc599d582c80cb48639654df1d
SHA256

cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa
SHA512

012adcfeff91e107571f33bffa214385bb0f93fe81c99d45482db4225b3e07e16917d75483d30b10e955f5484ce3f0d9619df0340d1a99a638906ee881f49fec

Score

10^/10

arkei babadeda default crypter link loader pdf stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

http://tonyshop312.com/8cPynL7Va1.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e9d4-162.dat	family_babadeda
behavioral2/memory/4720-170-0x0000000005210000-0x000000000A310000-memory.dmp	family_babadeda

Executes dropped EXE 3 IoCs

pid	Process
900	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp
1648	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp
4720	PIXWin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp

Loads dropped DLL 8 IoCs

pid	Process
4720	PIXWin.exe
4720	PIXWin.exe
4720	PIXWin.exe
4720	PIXWin.exe
4720	PIXWin.exe
4720	PIXWin.exe
4720	PIXWin.exe
4720	PIXWin.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x000400000001e9d4-162.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp
1648	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4720	PIXWin.exe
4720	PIXWin.exe
4720	PIXWin.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 900	892	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe	78
PID 892 wrote to memory of 900	892	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe	78
PID 892 wrote to memory of 900	892	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe	78
PID 900 wrote to memory of 1424	900	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp	79
PID 900 wrote to memory of 1424	900	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp	79
PID 900 wrote to memory of 1424	900	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp	79
PID 1424 wrote to memory of 1648	1424	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe	80
PID 1424 wrote to memory of 1648	1424	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe	80
PID 1424 wrote to memory of 1648	1424	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe	80
PID 1648 wrote to memory of 4720	1648	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp	85
PID 1648 wrote to memory of 4720	1648	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp	85
PID 1648 wrote to memory of 4720	1648	cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp	85

C:\Users\Admin\AppData\Local\Temp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe
"C:\Users\Admin\AppData\Local\Temp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\is-JCVNM.tmp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JCVNM.tmp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp" /SL5="$3016E,10733989,780800,C:\Users\Admin\AppData\Local\Temp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe
    "C:\Users\Admin\AppData\Local\Temp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\is-V5DO6.tmp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-V5DO6.tmp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp" /SL5="$4016E,10733989,780800,C:\Users\Admin\AppData\Local\Temp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\PIXWin.exe
        
        "C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\PIXWin.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-JCVNM.tmp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp

Filesize
3.0MB

MD5
c415fd6dd64aec88dcef43a471a27b06

SHA1
fe1e740b29901ad81f9f19b653b7756f382e5255

SHA256
564bba1d6b9e77985304cccf995a89d49ca295ed247b1861a4bd2e0b219655ed

SHA512
cabb388cbe7b49563e1042347f2d43a375effc6e237c1872baa702d83e9d0cf39245ff477a06f18016bacfb0a14487b16e97259158fd55ec6b439f11f041fbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V5DO6.tmp\cf1d4bf6b4a831d9664bbf0f40a609152a699f8d535c21e41ada406c47f63bfa.tmp

Filesize
3.0MB

MD5
c415fd6dd64aec88dcef43a471a27b06

SHA1
fe1e740b29901ad81f9f19b653b7756f382e5255

SHA256
564bba1d6b9e77985304cccf995a89d49ca295ed247b1861a4bd2e0b219655ed

SHA512
cabb388cbe7b49563e1042347f2d43a375effc6e237c1872baa702d83e9d0cf39245ff477a06f18016bacfb0a14487b16e97259158fd55ec6b439f11f041fbf9

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\D3DCOMPILER_43.dll

Filesize
2.0MB

MD5
1c9b45e87528b8bb8cfa884ea0099a85

SHA1
98be17e1d324790a5b206e1ea1cc4e64fbe21240

SHA256
2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c

SHA512
b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\D3DCompiler_43.dll

Filesize
2.0MB

MD5
1c9b45e87528b8bb8cfa884ea0099a85

SHA1
98be17e1d324790a5b206e1ea1cc4e64fbe21240

SHA256
2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c

SHA512
b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\D3DX9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\Detoured.dll

Filesize
41KB

MD5
6adaae7fd80038159b26b19a88b41d9e

SHA1
d0a8132d83b2904f024f4224285b0f8c658d45fa

SHA256
abb11bb061f932124e0f6ed4bdf323adedba845fac65d83a78910a3c63b0d8cd

SHA512
b3b214c133654b047420f956a35eab998c94e4f17d5d4cf555a95fa99ebbeee441b17542ce2ca46509c960072a097a79fcfe4f254f7737166945189c91be7a19

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\Detoured.dll

Filesize
41KB

MD5
6adaae7fd80038159b26b19a88b41d9e

SHA1
d0a8132d83b2904f024f4224285b0f8c658d45fa

SHA256
abb11bb061f932124e0f6ed4bdf323adedba845fac65d83a78910a3c63b0d8cd

SHA512
b3b214c133654b047420f956a35eab998c94e4f17d5d4cf555a95fa99ebbeee441b17542ce2ca46509c960072a097a79fcfe4f254f7737166945189c91be7a19

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\MSVCP140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\PIXWin.exe

Filesize
2.2MB

MD5
f5aa5e6b49e00a8e66e50984166d0e8c

SHA1
56085a70e1b863a8bb2552f968d5c4cd6ff419f2

SHA256
c781c5b74c938940564d1447ecddcb614cdbbb25cec13ee2a5dc127b92cc1fbe

SHA512
1bb38e538814f1811044c5054d33476062eaccac502f202efe0cc53226fa73bdb3d5b4fe337d9583653740e80b2f3bb55ccdaafa512cd4a7a436391cc48da40c

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\PIXWin.exe

Filesize
2.2MB

MD5
f5aa5e6b49e00a8e66e50984166d0e8c

SHA1
56085a70e1b863a8bb2552f968d5c4cd6ff419f2

SHA256
c781c5b74c938940564d1447ecddcb614cdbbb25cec13ee2a5dc127b92cc1fbe

SHA512
1bb38e538814f1811044c5054d33476062eaccac502f202efe0cc53226fa73bdb3d5b4fe337d9583653740e80b2f3bb55ccdaafa512cd4a7a436391cc48da40c

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\VCRUNTIME140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\d3dx11_43.dll

Filesize
242KB

MD5
8e0bb968ff41d80e5f2c747c04db79ae

SHA1
69b332d78020177a9b3f60cb672ec47578003c0d

SHA256
492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d

SHA512
7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\d3dx11_43.dll

Filesize
242KB

MD5
8e0bb968ff41d80e5f2c747c04db79ae

SHA1
69b332d78020177a9b3f60cb672ec47578003c0d

SHA256
492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d

SHA512
7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\fontdesk4.DLL

Filesize
7.9MB

MD5
f678a70827c790c23cdbc069e385f46b

SHA1
c8b37f85cd472ec995a80604e9494347ab0d4872

SHA256
c98bf672212fa961e2e727cff59f788069494a5ff2e9679d26ef6237d956cb85

SHA512
057fc70bf87dc1540dd88fce9e0d6545534fd5db09cecfd12c10f6a49489310fcfe450cd14449a04c8e524266fea2f035c51eaa7d5d09edf037931349503db14

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\fontdesk4.dll

Filesize
7.9MB

MD5
f678a70827c790c23cdbc069e385f46b

SHA1
c8b37f85cd472ec995a80604e9494347ab0d4872

SHA256
c98bf672212fa961e2e727cff59f788069494a5ff2e9679d26ef6237d956cb85

SHA512
057fc70bf87dc1540dd88fce9e0d6545534fd5db09cecfd12c10f6a49489310fcfe450cd14449a04c8e524266fea2f035c51eaa7d5d09edf037931349503db14

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\gdb

Filesize
472KB

MD5
eacf3db30c4503f5824cadb693fed291

SHA1
abfef9cee85dd2ec4281b2109e378477ba924628

SHA256
e371aeeee12f660e7e00b6ca2970a6e927f72d35ae3917cabd6e6cf0f30e78fc

SHA512
623aaba3edd240bf1f629cce94a5c667a76ab811328cc0622a14a97328c72bd37e4adf18354fa0adbb947d62258493d536190dc6519370da7c95c127b4879cb0

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\iisnetwork.dll

Filesize
13KB

MD5
9ebe0f0fb6f2bba7665376a7943b2137

SHA1
92c81061a889d4b78231927ba78dc303b1804fbe

SHA256
69114bd6e375646e38c2323af52794f4658a2718b90c3ecb290594776a868dba

SHA512
e38ed1853c6a50de2e4ac764002a0e3269b0bc7b3e6434ae1000048167095a5c942f921454c5bea4597ea4523d2563037878ea0c2ebab8944e850cc878da99a1

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\iisnetwork.dll

Filesize
13KB

MD5
9ebe0f0fb6f2bba7665376a7943b2137

SHA1
92c81061a889d4b78231927ba78dc303b1804fbe

SHA256
69114bd6e375646e38c2323af52794f4658a2718b90c3ecb290594776a868dba

SHA512
e38ed1853c6a50de2e4ac764002a0e3269b0bc7b3e6434ae1000048167095a5c942f921454c5bea4597ea4523d2563037878ea0c2ebab8944e850cc878da99a1

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Roaming\R for Windows 4.1.1\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
memory/892-130-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/892-132-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1424-140-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1424-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4720-159-0x0000000076140000-0x0000000076150000-memory.dmp

Filesize
64KB

Download
memory/4720-153-0x0000000000451000-0x0000000000453000-memory.dmp

Filesize
8KB

Download
memory/4720-163-0x000000000A310000-0x000000000A334000-memory.dmp

Filesize
144KB

Download
memory/4720-168-0x0000000076140000-0x0000000076150000-memory.dmp

Filesize
64KB

Download
memory/4720-169-0x0000000072B60000-0x0000000072B6E000-memory.dmp

Filesize
56KB

Download
memory/4720-170-0x0000000005210000-0x000000000A310000-memory.dmp

Filesize
81.0MB

Download