Analysis

  • max time kernel
    132s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18/04/2022, 21:07

General

  • Target

    b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe

  • Size

    1.0MB

  • MD5

    cecb88d07ae96dcfe8c2c36fa096fb41

  • SHA1

    c9c84b92a258e49289b8195b6b8509a9960c5495

  • SHA256

    b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42

  • SHA512

    a76e008687d948a34903de4ac4339e253664002d9e602c70b461373c17c197001af3ca74e0724505329bab0b720ac3c56838f0efb9663f841579b9ee24f8db8e

Score
10/10

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

http://tommytshop.com/KNOuG8qeID.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe
    "C:\Users\Admin\AppData\Local\Temp\b15cb7537c9da026144ce35c70b21f72f81c8855b537c6ae987e785447e90f42.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cmd < Prende.avi
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4152
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FI "imagename eq BullGuardCore.exe"
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:4372
        • C:\Windows\SysWOW64\find.exe
          find /I /N "bullguardcore.exe"
          4⤵
            PID:4684
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist /FI "imagename eq PSUAService.exe"
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4184
          • C:\Windows\SysWOW64\find.exe
            find /I /N "psuaservice.exe"
            4⤵
              PID:4224
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V /R "^NUUynCAavFAplJqoVmuufnwKZBZrOIjeTJnZmiZkDkIOfSUZXlxJinxfTluWCvDOzbdBlwJOmVCtQjcuHZuEhCVcgpyfwrIiHUcRCaPWAGpjVdmGPZgDdZAQCVjwVxMvj$" Sta.avi
              4⤵
                PID:4256
              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pif
                Facilita.exe.pif v
                4⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:3572
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
                  5⤵
                  • Executes dropped EXE
                  • Gathers network information
                  PID:4192
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe
                  5⤵
                  • Executes dropped EXE
                  • Gathers network information
                  PID:3824
              • C:\Windows\SysWOW64\waitfor.exe
                waitfor /t 5 GEThfMyymbuCdIfkGFZsHou
                4⤵
                  PID:3832
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
              2⤵
                PID:772

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

                    Filesize

                    300B

                    MD5

                    00c8bb4c8deebfc13bdbef52a5e68288

                    SHA1

                    110beb6ebed3f132f67d1b0c11aed92688fc2087

                    SHA256

                    f5dba9dc47ac79267fd75bafd0b4aa7c1a9c264758fde79c4f433a52b1c569bf

                    SHA512

                    8a0ccf53135e38357c0038c4db199bafc1b5101a8a8c5ccb69f4f0d1b3f45ee499a09eed9ce81421ce9304ec26915ea44e28d0d44ced469cb31e4c86e065389b

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pif

                    Filesize

                    872KB

                    MD5

                    c56b5f0201a3b3de53e561fe76912bfd

                    SHA1

                    2a4062e10a5de813f5688221dbeb3f3ff33eb417

                    SHA256

                    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                    SHA512

                    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facilita.exe.pif

                    Filesize

                    872KB

                    MD5

                    c56b5f0201a3b3de53e561fe76912bfd

                    SHA1

                    2a4062e10a5de813f5688221dbeb3f3ff33eb417

                    SHA256

                    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                    SHA512

                    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Piu.avi

                    Filesize

                    886KB

                    MD5

                    aea8833bffe4ce594e3c4e91221c8af5

                    SHA1

                    409a0890a367cd616332e12595a99d59a7202252

                    SHA256

                    90d76daf5aa4b3e943d7c62b4b0d6158b27b701681de367fea5a68f783a4d68c

                    SHA512

                    d71d5b3cbdedc93d3765633e4bcf6773dccf757e6b4a2577ba4b50f00d846df9ebdb2a798dff5792113473c2c87143dfad7560993eaf8e56a0abdf34b3e40e32

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Prende.avi

                    Filesize

                    12KB

                    MD5

                    7b4e1751aede86d7ea3baf70197d5100

                    SHA1

                    d0e0d38a082856099dc4281cd1aa682967f0ec30

                    SHA256

                    dd31a753bb208ab540d90b59403d5fb3fde0a9e9cb3e34fabdce32f4eb96a6de

                    SHA512

                    187deed79b33ae102de3315463add8c4a0463e851b9beadecdf322626513f5f405e1a2d4fe11f2e6046816a3eb346b1191be109d6d29e8f783a4e0b2f13f12c6

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.avi

                    Filesize

                    872KB

                    MD5

                    78f6902df03a74470cc85906d390bf68

                    SHA1

                    2a07d672c000e26c8953e9e8c8ff0c1c33db9d06

                    SHA256

                    0d07d4825c918b092fde380263aaae1d08a6081456dd406c7485588bea625c5a

                    SHA512

                    fb472adfef4d72f2762bafc364558c5b186019d3aad314256e54335c6366f42f49e6061606e74dcbd246333375b528ee5d4dd105538fe3b1be7cfabdc03b789a

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe

                    Filesize

                    28KB

                    MD5

                    3a3b9a5e00ef6a3f83bf300e2b6b67bb

                    SHA1

                    261127183df2987de2239806dd74fe624c430608

                    SHA256

                    87b036c720fbd5e63355b9920a2864feaf59b1584ebd8458651936ab8c7c1f81

                    SHA512

                    21df8867246a9c5834253c0d2c2de3e620e9f8b4b031b9e53cb6082eca78b90bdb09b9e8baf39e05a08b859f81b3aecbc34f3540428cef0bed746d7e769f2f04

                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ipconfig.exe

                    Filesize

                    28KB

                    MD5

                    3a3b9a5e00ef6a3f83bf300e2b6b67bb

                    SHA1

                    261127183df2987de2239806dd74fe624c430608

                    SHA256

                    87b036c720fbd5e63355b9920a2864feaf59b1584ebd8458651936ab8c7c1f81

                    SHA512

                    21df8867246a9c5834253c0d2c2de3e620e9f8b4b031b9e53cb6082eca78b90bdb09b9e8baf39e05a08b859f81b3aecbc34f3540428cef0bed746d7e769f2f04

                  • memory/3572-149-0x0000000004D90000-0x0000000004D92000-memory.dmp

                    Filesize

                    8KB

                  • memory/3824-150-0x0000000000400000-0x000000000043C000-memory.dmp

                    Filesize

                    240KB