arkei | 119c638ebfa6bfa3e479b9c605697878150dd88bf48e741ca06e0c21a5dc64b5

Analysis

max time kernel
86s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2023 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YjreQbD.exe
Size

990KB
MD5

f0ee6ef61625a24692eb732cbae38181
SHA1

b0b3947af97884acb97f5bd7adec93174909723c
SHA256

9ed18a0b5e15bd4ecb73c5428e208b5d1b162274cfb0d6c62f7b5c3a04ec4d56
SHA512

f55a977927704fd37e280b3209e2c2512b6f46716a0d85622940b9eb158a0587eb45ec4f4575df97b69a68ee0730fc9a8ebf5a78e5832eceb33758732f707434
SSDEEP

24576:z7WQaGJy0sHg3fyKXLrlX1vFO88UbPdZYLP:WuJ3sA5MoBZ2

Score

10^/10

arkei default stealer

Malware Config

Extracted

Family

arkei

Botnet

Default

tommytshop.com/KNOuG8qeID.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YjreQbD.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	YjreQbD.exe

Executes dropped EXE 1 IoCs

Processes:

Copriva.exe.pif

pid process

1464 Copriva.exe.pif
Loads dropped DLL 6 IoCs

Processes:

Copriva.exe.pif

pid process

1464 Copriva.exe.pif
1464 Copriva.exe.pif
1464 Copriva.exe.pif
1464 Copriva.exe.pif
1464 Copriva.exe.pif
1464 Copriva.exe.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4720 tasklist.exe
4420 tasklist.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 4720 tasklist.exe
Token: SeDebugPrivilege 4420 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Copriva.exe.pif

pid process

1464 Copriva.exe.pif
1464 Copriva.exe.pif
1464 Copriva.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Copriva.exe.pif

pid process

1464 Copriva.exe.pif
1464 Copriva.exe.pif
1464 Copriva.exe.pif

pid	process
1464	Copriva.exe.pif

pid	process
1464	Copriva.exe.pif
1464	Copriva.exe.pif
1464	Copriva.exe.pif
1464	Copriva.exe.pif
1464	Copriva.exe.pif
1464	Copriva.exe.pif

pid	process
4720	tasklist.exe
4420	tasklist.exe

description	pid	process
Token: SeDebugPrivilege	4720	tasklist.exe
Token: SeDebugPrivilege	4420	tasklist.exe

pid	process
1464	Copriva.exe.pif
1464	Copriva.exe.pif
1464	Copriva.exe.pif

pid	process
1464	Copriva.exe.pif
1464	Copriva.exe.pif
1464	Copriva.exe.pif

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

YjreQbD.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 4248	1792	YjreQbD.exe	dllhost.exe
PID 1792 wrote to memory of 4248	1792	YjreQbD.exe	dllhost.exe
PID 1792 wrote to memory of 4248	1792	YjreQbD.exe	dllhost.exe
PID 1792 wrote to memory of 5048	1792	YjreQbD.exe	cmd.exe
PID 1792 wrote to memory of 5048	1792	YjreQbD.exe	cmd.exe
PID 1792 wrote to memory of 5048	1792	YjreQbD.exe	cmd.exe
PID 5048 wrote to memory of 2160	5048	cmd.exe	cmd.exe
PID 5048 wrote to memory of 2160	5048	cmd.exe	cmd.exe
PID 5048 wrote to memory of 2160	5048	cmd.exe	cmd.exe
PID 2160 wrote to memory of 4720	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 4720	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 4720	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 2268	2160	cmd.exe	find.exe
PID 2160 wrote to memory of 2268	2160	cmd.exe	find.exe
PID 2160 wrote to memory of 2268	2160	cmd.exe	find.exe
PID 2160 wrote to memory of 4420	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 4420	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 4420	2160	cmd.exe	tasklist.exe
PID 2160 wrote to memory of 4792	2160	cmd.exe	find.exe
PID 2160 wrote to memory of 4792	2160	cmd.exe	find.exe
PID 2160 wrote to memory of 4792	2160	cmd.exe	find.exe
PID 2160 wrote to memory of 4112	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 4112	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 4112	2160	cmd.exe	findstr.exe
PID 2160 wrote to memory of 1464	2160	cmd.exe	Copriva.exe.pif
PID 2160 wrote to memory of 1464	2160	cmd.exe	Copriva.exe.pif
PID 2160 wrote to memory of 1464	2160	cmd.exe	Copriva.exe.pif
PID 2160 wrote to memory of 1100	2160	cmd.exe	waitfor.exe
PID 2160 wrote to memory of 1100	2160	cmd.exe	waitfor.exe
PID 2160 wrote to memory of 1100	2160	cmd.exe	waitfor.exe
PID 1792 wrote to memory of 652	1792	YjreQbD.exe	cmd.exe
PID 1792 wrote to memory of 652	1792	YjreQbD.exe	cmd.exe
PID 1792 wrote to memory of 652	1792	YjreQbD.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\YjreQbD.exe
"C:\Users\Admin\AppData\Local\Temp\YjreQbD.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Inebriato.wpd
2⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
4⤵
PID:2268

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
4⤵
PID:4792

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^hnmMYJRRrqYoFrCUDeZcgiwUFGxeTZLSdTQAAjLpnOemEnUaaWmdmmnybFisgOYrfuSMjezssQXAtBfuMwJXAxzRxKeVyzUJPZlnGiyfCiYJCYqVfqFhywCUMqaCZbjYVhKys$" Chiederai.wpd
4⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif
Copriva.exe.pif o
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 rgGJBJbazvgjivkxSjoUghUaXzXmXwCe
4⤵
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
186B

MD5
80f5d7b8923f76f75a9d0b7d869faf70

SHA1
5c727f73630593fdb3e68889adc6fc3b455bca32

SHA256
2469dab56f3df8b32182486bb0cf502c1f37529f89a016909d9ae6da8baa8ec2

SHA512
82a6968865951e260df306004abc01727fcc26344f109bd7251c668a4dd4fcf5056e20c2174ebc5a86ae96f979e5bce60b81b68bb9350c1ea4091bfa4ae918a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Chiederai.wpd
Filesize
872KB

MD5
4b084812c6fb13ba05a4be0758e66ccf

SHA1
0a2faed7c7e7486c71eb79b14c6e256b6c2b7598

SHA256
5d332940731caff69ab83afc4d6a8d24afbd145ec4ff1df52d89c7fc3005fe8f

SHA512
732800942e1a6660c5aacce488d798e220b959239d93a519ae9a41fd5b471be959077f3b630414ed4de1338f38fc72b551d01bf94801df27b7659104ae16793c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Copriva.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Egli.wpd
Filesize
866KB

MD5
c5ac89ff9e331db45cc5c117f6fac7fb

SHA1
39eae354ab757f49538c487de0996ed86dfe4628

SHA256
ef26635708a4a1a6dfefec2d4c434e62a40a14ada8816fd91ffb3b9ea9b49dd3

SHA512
2603880655da83f4304561b25961eadcb693876cfe50fb439e33d9eab89170eb505aee6b1ead3a4f29159cbb8bd053f39154b9c518ca69dc44b930d4509f760e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Inebriato.wpd
Filesize
12KB

MD5
0e7fa1e0cf013f39c47894a8cab1888c

SHA1
73f43280ad9becd805cdb3fa73cdd8cee60f5942

SHA256
c30f814d105434302bf0cba8962d19249558fea60d6c7ed1b11693e1d7debe92

SHA512
16f8d55bf1d60d344a3c6ae2e29a3fc6a4ccd5bd083a6dcb003448585a0d6913c6a817ebb16ddd057ef4952e3c80900ef7c6a578f509ea59ef7112d98fc2906d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fTijRIVTLnhO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fTijRIVTLnhO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fTijRIVTLnhO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fTijRIVTLnhO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fTijRIVTLnhO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fTijRIVTLnhO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\fTijRIVTLnhO.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/1464-157-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/1464-151-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1464-160-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/1464-163-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/1464-166-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/1464-169-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download
memory/1464-170-0x0000000007E30000-0x0000000007E6C000-memory.dmp

Filesize
240KB

Download