arkei | d080f227320c4939dd03587024c17583d8fe7b589e45502f8ee905ecb33d626a

Analysis

max time kernel
184s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-06-2022 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boomclnr.exe
Size

338KB
MD5

7eb3288cf5a21f9e579741af49ce65aa
SHA1

15ee11f73dd90eb20e5dcca2ad8fac94f93a91c1
SHA256

d080f227320c4939dd03587024c17583d8fe7b589e45502f8ee905ecb33d626a
SHA512

e733a472ed1c2d3e848fc12eaab52a877a4e81382bba85674d061b0e34060186377e5399b9d67596fca1fe0813d1c960a851702abbac015955bc18df7cc5012a

Score

10^/10

arkei default stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

u3cg.0.exe

pid process

3172 u3cg.0.exe

pid	process
3172	u3cg.0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

boomclnr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	boomclnr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

boomclnr.exe

description	pid	process	target process
PID 4336 wrote to memory of 3172	4336	boomclnr.exe	u3cg.0.exe
PID 4336 wrote to memory of 3172	4336	boomclnr.exe	u3cg.0.exe
PID 4336 wrote to memory of 3172	4336	boomclnr.exe	u3cg.0.exe

C:\Users\Admin\AppData\Local\Temp\boomclnr.exe
"C:\Users\Admin\AppData\Local\Temp\boomclnr.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\u3cg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3cg.0.exe"
2⤵
- Executes dropped EXE
PID:3172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\u3cg.0.exe
Filesize
353KB

MD5
b4313a7d7629f36f75f7c964cddb407a

SHA1
b6067c17671743fb93d4783e7925b1c24393e0ac

SHA256
5d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2

SHA512
7dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3cg.0.exe
Filesize
353KB

MD5
b4313a7d7629f36f75f7c964cddb407a

SHA1
b6067c17671743fb93d4783e7925b1c24393e0ac

SHA256
5d2852480a44eed596c7211a6eab77bee91653293aacbd39d4f47b45946740c2

SHA512
7dfeee2affd3f5a71abe63d5c866b29c36373683fb7ca5b4ce8e4fc0d122dc64ce4fe0a3e252c3fbd8a9b59b90e8af9a627c25fcc9fe1991444a4b15c2332e21

Download Submit
memory/3172-130-0x0000000000000000-mapping.dmp

Download
memory/3172-133-0x0000000000C43000-0x0000000000C64000-memory.dmp

Filesize
132KB

Download
memory/3172-134-0x0000000000BB0000-0x0000000000BD9000-memory.dmp

Filesize
164KB

Download
memory/3172-135-0x0000000000400000-0x0000000000B4B000-memory.dmp

Filesize
7.3MB

Download