arkei | 2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0

Analysis

max time kernel
152s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
26-06-2022 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zxcvb.exe
Size

768KB
MD5

63645a9e1f5e77ba3c75366f3a14ab87
SHA1

ed1497c47dc283118bbc57d49cd9f354785cf73d
SHA256

2ced9b36b931b73b1d325bececd01f0e4fa6bd0fff98f8b76f2f45b473311cd0
SHA512

4efce16194322c1288603ccd4ab6507fa5905debb137ce9b200e7a76e2c041c2d2aa720061b0679f2dfb5c21a668e12fe5eeb5fe99542f5a88d4bcdf103296f0

Score

10^/10

arkei recordbreaker default discovery spyware stealer suricata

Malware Config

Extracted

Family

recordbreaker

http://136.244.65.99/

http://140.82.52.55/

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
RecordBreaker
RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.
stealer recordbreaker
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4
suricata
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata

Executes dropped EXE 2 IoCs

pid	Process
1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
1800	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	zxcvb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Loads dropped DLL 4 IoCs

pid	Process
376	zxcvb.exe
1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
1800	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
1800	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 376 set thread context of 1708	376	zxcvb.exe	30
PID 1692 set thread context of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1968	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1732	powershell.exe
376	zxcvb.exe
1504	powershell.exe
1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	376	zxcvb.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 1732	376	zxcvb.exe	27
PID 376 wrote to memory of 1732	376	zxcvb.exe	27
PID 376 wrote to memory of 1732	376	zxcvb.exe	27
PID 376 wrote to memory of 1732	376	zxcvb.exe	27
PID 376 wrote to memory of 1692	376	zxcvb.exe	29
PID 376 wrote to memory of 1692	376	zxcvb.exe	29
PID 376 wrote to memory of 1692	376	zxcvb.exe	29
PID 376 wrote to memory of 1692	376	zxcvb.exe	29
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 376 wrote to memory of 1708	376	zxcvb.exe	30
PID 1692 wrote to memory of 1504	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	33
PID 1692 wrote to memory of 1504	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	33
PID 1692 wrote to memory of 1504	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	33
PID 1692 wrote to memory of 1504	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	33
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1692 wrote to memory of 1800	1692	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	35
PID 1800 wrote to memory of 600	1800	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	36
PID 1800 wrote to memory of 600	1800	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	36
PID 1800 wrote to memory of 600	1800	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	36
PID 1800 wrote to memory of 600	1800	Fvmidruhvvwkpvmfzdjkqkyhgrn.exe	36
PID 600 wrote to memory of 1968	600	cmd.exe	38
PID 600 wrote to memory of 1968	600	cmd.exe	38
PID 600 wrote to memory of 1968	600	cmd.exe	38
PID 600 wrote to memory of 1968	600	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\zxcvb.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
  "C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
    C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1968
- C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
  C:\Users\Admin\AppData\Local\Temp\zxcvb.exe
  2⤵
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Filesize
21KB

MD5
f35a031075f711d05262e547d028ae86

SHA1
9c9e3bdf907fcfa959910cd9c752e297765ccf80

SHA256
3c0c5786499c54c8f99e689f7e1bfc129e4d10c3de58c7917fc73044e12346b9

SHA512
ff5235e388cc82f45e2dda4e93b66f752789b6cda1b6a4076af0171ab88ea422e8309a0f85abfa2d2e8ed5a760c3d83c4ec13fea9b566c0dd470a5c64c1a8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Filesize
21KB

MD5
f35a031075f711d05262e547d028ae86

SHA1
9c9e3bdf907fcfa959910cd9c752e297765ccf80

SHA256
3c0c5786499c54c8f99e689f7e1bfc129e4d10c3de58c7917fc73044e12346b9

SHA512
ff5235e388cc82f45e2dda4e93b66f752789b6cda1b6a4076af0171ab88ea422e8309a0f85abfa2d2e8ed5a760c3d83c4ec13fea9b566c0dd470a5c64c1a8a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Filesize
21KB

MD5
f35a031075f711d05262e547d028ae86

SHA1
9c9e3bdf907fcfa959910cd9c752e297765ccf80

SHA256
3c0c5786499c54c8f99e689f7e1bfc129e4d10c3de58c7917fc73044e12346b9

SHA512
ff5235e388cc82f45e2dda4e93b66f752789b6cda1b6a4076af0171ab88ea422e8309a0f85abfa2d2e8ed5a760c3d83c4ec13fea9b566c0dd470a5c64c1a8a30

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f30dc721ea494ccf5cfaf4d371118405

SHA1
4a1c29bcb6ac700b5712fcf0bada968bf0eae8f3

SHA256
113e2d321ccf829f8f4ff3461effa53fd39aeb9df52a62eafa6a01db06a2730d

SHA512
a38b45ac0d45954b74ba6c6b1f5c112965a5310c53935f03235c76ad6e859df3576f6481cb9dc525112934d9da6d512065a040a79186634cb0733d7c33c845ba

Download Submit
\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Filesize
21KB

MD5
f35a031075f711d05262e547d028ae86

SHA1
9c9e3bdf907fcfa959910cd9c752e297765ccf80

SHA256
3c0c5786499c54c8f99e689f7e1bfc129e4d10c3de58c7917fc73044e12346b9

SHA512
ff5235e388cc82f45e2dda4e93b66f752789b6cda1b6a4076af0171ab88ea422e8309a0f85abfa2d2e8ed5a760c3d83c4ec13fea9b566c0dd470a5c64c1a8a30

Download Submit
\Users\Admin\AppData\Local\Temp\Fvmidruhvvwkpvmfzdjkqkyhgrn.exe

Filesize
21KB

MD5
f35a031075f711d05262e547d028ae86

SHA1
9c9e3bdf907fcfa959910cd9c752e297765ccf80

SHA256
3c0c5786499c54c8f99e689f7e1bfc129e4d10c3de58c7917fc73044e12346b9

SHA512
ff5235e388cc82f45e2dda4e93b66f752789b6cda1b6a4076af0171ab88ea422e8309a0f85abfa2d2e8ed5a760c3d83c4ec13fea9b566c0dd470a5c64c1a8a30

Download Submit
memory/376-56-0x0000000000BA0000-0x0000000000BEC000-memory.dmp

Filesize
304KB

Download
memory/376-55-0x0000000004B90000-0x0000000004C52000-memory.dmp

Filesize
776KB

Download
memory/376-54-0x00000000009A0000-0x0000000000A66000-memory.dmp

Filesize
792KB

Download
memory/1504-85-0x000000006FBB0000-0x000000007015B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-84-0x000000006FBB0000-0x000000007015B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-65-0x0000000001160000-0x000000000116A000-memory.dmp

Filesize
40KB

Download
memory/1692-80-0x0000000005520000-0x00000000055F4000-memory.dmp

Filesize
848KB

Download
memory/1708-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1708-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1708-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1708-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1708-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1708-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1708-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1708-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1732-60-0x00000000701D0000-0x000000007077B000-memory.dmp

Filesize
5.7MB

Download
memory/1732-58-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1732-59-0x00000000701D0000-0x000000007077B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-92-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-95-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-93-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-100-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-101-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-103-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1800-90-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1800-125-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download