Overview

overview

10

Static

static

boomclnr.exe

windows7_x64

10

boomclnr.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    99s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    26-06-2022 05:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    boomclnr.exe

  • Size

    338KB

  • MD5

    7eb3288cf5a21f9e579741af49ce65aa

  • SHA1

    15ee11f73dd90eb20e5dcca2ad8fac94f93a91c1

  • SHA256

    d080f227320c4939dd03587024c17583d8fe7b589e45502f8ee905ecb33d626a

  • SHA512

    e733a472ed1c2d3e848fc12eaab52a877a4e81382bba85674d061b0e34060186377e5399b9d67596fca1fe0813d1c960a851702abbac015955bc18df7cc5012a

Score
10/10
arkeidefaultdiscoveryspywarestealersuricata

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)

    suricata: ET MALWARE Win32/Vidar Variant/Mars CnC Activity (GET)

    suricata
  • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

    suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\boomclnr.exe
    "C:\Users\Admin\AppData\Local\Temp\boomclnr.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Users\Admin\AppData\Local\Temp\uf8.0.exe
      "C:\Users\Admin\AppData\Local\Temp\uf8.0.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\uf8.0.exe" & exit
        3⤵
          PID:1512
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 5
            4⤵
            • Delays execution with timeout.exe
            PID:1672
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://yip.su/2N19t7
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1432
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1808

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\uf8.0.exe
      Filesize

      353KB

      MD5

      b4313a7d7629f36f75f7c964cddb407a

      SHA1

      b6067c17671743fb93d4783e7925b1c24393e0ac

      SHA256

      5d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2

      SHA512

      7dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BD7RXBDA.txt
      Filesize

      605B

      MD5

      628677adca676b684eccb5f05cd6eef9

      SHA1

      07730088fa67c611da0d3123072320592f833085

      SHA256

      a70fb7021efdd93164fdbe3f2188b716e12ca92513af7139d74ecfad711bab4e

      SHA512

      2ad9e7224bbea615a59353f62648e9844aaa21ee4ed5e28cebd61ce46190fe033729cc047b8dd20eaa925110943da86a5fd785e9601533c68b37f3e8deb1d88e

      Download Submit
    • \ProgramData\mozglue.dll
      Filesize

      133KB

      MD5

      8f73c08a9660691143661bf7332c3c27

      SHA1

      37fa65dd737c50fda710fdbde89e51374d0c204a

      SHA256

      3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

      SHA512

      0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

      Download Submit
    • \ProgramData\nss3.dll
      Filesize

      1.2MB

      MD5

      bfac4e3c5908856ba17d41edcd455a51

      SHA1

      8eec7e888767aa9e4cca8ff246eb2aacb9170428

      SHA256

      e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

      SHA512

      2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

      Download Submit
    • \Users\Admin\AppData\Local\Temp\uf8.0.exe
      Filesize

      353KB

      MD5

      b4313a7d7629f36f75f7c964cddb407a

      SHA1

      b6067c17671743fb93d4783e7925b1c24393e0ac

      SHA256

      5d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2

      SHA512

      7dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21

      Download Submit
    • \Users\Admin\AppData\Local\Temp\uf8.0.exe
      Filesize

      353KB

      MD5

      b4313a7d7629f36f75f7c964cddb407a

      SHA1

      b6067c17671743fb93d4783e7925b1c24393e0ac

      SHA256

      5d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2

      SHA512

      7dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21

      Download Submit
    • \Users\Admin\AppData\Local\Temp\uf8.0.exe
      Filesize

      353KB

      MD5

      b4313a7d7629f36f75f7c964cddb407a

      SHA1

      b6067c17671743fb93d4783e7925b1c24393e0ac

      SHA256

      5d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2

      SHA512

      7dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21

      Download Submit
    • \Users\Admin\AppData\Local\Temp\uf8.0.exe
      Filesize

      353KB

      MD5

      b4313a7d7629f36f75f7c964cddb407a

      SHA1

      b6067c17671743fb93d4783e7925b1c24393e0ac

      SHA256

      5d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2

      SHA512

      7dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21

      Download Submit
    • \Users\Admin\AppData\Local\Temp\uf8.1.exe
      Filesize

      5.3MB

      MD5

      00e93456aa5bcf9f60f84b0c0760a212

      SHA1

      6096890893116e75bd46fea0b8c3921ceb33f57d

      SHA256

      ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

      SHA512

      abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

      Download Submit
    • memory/548-54-0x0000000076181000-0x0000000076183000-memory.dmp
      Filesize

      8KB

      Download
    • memory/956-62-0x0000000000BF8000-0x0000000000C19000-memory.dmp
      Filesize

      132KB

      Download
    • memory/956-65-0x0000000000400000-0x0000000000B4B000-memory.dmp
      Filesize

      7.3MB

      Download
    • memory/956-67-0x0000000060900000-0x0000000060992000-memory.dmp
      Filesize

      584KB

      Download
    • memory/956-64-0x00000000002C0000-0x00000000002E9000-memory.dmp
      Filesize

      164KB

      Download
    • memory/956-63-0x0000000000BF8000-0x0000000000C19000-memory.dmp
      Filesize

      132KB

      Download
    • memory/956-89-0x0000000000BF8000-0x0000000000C19000-memory.dmp
      Filesize

      132KB

      Download
    • memory/956-90-0x0000000000400000-0x0000000000B4B000-memory.dmp
      Filesize

      7.3MB

      Download
    • memory/956-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1512-88-0x0000000000000000-mapping.dmp
      Download