Analysis

  • max time kernel
    135s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 04:28

General

  • Target

    6425d2a508b8a9399fa2e99f536e4dba.exe

  • Size

    3.6MB

  • MD5

    6425d2a508b8a9399fa2e99f536e4dba

  • SHA1

    53749733ccd6a49cd6951bb9e4d0a676eeb72b11

  • SHA256

    0a8d06e600d240b442089a927590cc564a921884e130cc2d0d962be7463cec4e

  • SHA512

    ff4ada7de78ca947b4bd60965748b0a141b756477c1d3c74c52a154d3a10edee268e0c75159a929a16cbd2440d36f5bcf16a4382a39fc9f010dd32b495b4de31

  • SSDEEP

    49152:gLL9wqXFZAuJbEdSqXcZAuJbEdZ/FluraLxTsEStIxvoLZ:gLyQ3ISz3IZbur8kt

Score
10/10

Malware Config

Extracted

Family

arkei

Botnet

Default

C2

185.87.49.30/flat.php

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6425d2a508b8a9399fa2e99f536e4dba.exe
    "C:\Users\Admin\AppData\Local\Temp\6425d2a508b8a9399fa2e99f536e4dba.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1264
      2⤵
      • Program crash
      PID:4876
    • C:\Users\Admin\AppData\Local\Temp\6425d2a508b8a9399fa2e99f536e4dba.exe
      "C:\Users\Admin\AppData\Local\Temp\6425d2a508b8a9399fa2e99f536e4dba.exe"
      2⤵
        PID:3712
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1264
        2⤵
        • Program crash
        PID:1640
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 972 -ip 972
      1⤵
        PID:5028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 972 -ip 972
        1⤵
          PID:4672

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/972-8-0x0000000005660000-0x0000000005670000-memory.dmp

          Filesize

          64KB

        • memory/972-1-0x0000000074DB0000-0x0000000075560000-memory.dmp

          Filesize

          7.7MB

        • memory/972-2-0x00000000052E0000-0x000000000537C000-memory.dmp

          Filesize

          624KB

        • memory/972-5-0x0000000005660000-0x0000000005670000-memory.dmp

          Filesize

          64KB

        • memory/972-4-0x0000000005420000-0x00000000054B2000-memory.dmp

          Filesize

          584KB

        • memory/972-6-0x00000000053E0000-0x00000000053EA000-memory.dmp

          Filesize

          40KB

        • memory/972-3-0x0000000005930000-0x0000000005ED4000-memory.dmp

          Filesize

          5.6MB

        • memory/972-0-0x00000000005C0000-0x0000000000952000-memory.dmp

          Filesize

          3.6MB

        • memory/972-7-0x0000000005670000-0x00000000056C6000-memory.dmp

          Filesize

          344KB

        • memory/972-9-0x0000000006B00000-0x0000000006B1E000-memory.dmp

          Filesize

          120KB

        • memory/972-16-0x0000000074DB0000-0x0000000075560000-memory.dmp

          Filesize

          7.7MB

        • memory/972-11-0x0000000006AE0000-0x0000000006AE8000-memory.dmp

          Filesize

          32KB

        • memory/3712-14-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

        • memory/3712-15-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

        • memory/3712-10-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

        • memory/3712-13-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB