arkei | 386cb4a88b5c465c29db7093db94fe6b8e30bb41c2d994569b1fc05d9b1b82d2

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c0ff1476f4da58cc85553ab15fa03cc.exe
Size

100KB
MD5

3c0ff1476f4da58cc85553ab15fa03cc
SHA1

b74fc29e44fd167f17f8e75f74bbc8fe1cf35d0e
SHA256

386cb4a88b5c465c29db7093db94fe6b8e30bb41c2d994569b1fc05d9b1b82d2
SHA512

ee9542916a4411dd035618c71c5407f249d2e02dbe2b979b9cfd69960bd41402d0f9edf9af61a50b4ecd75eeb3da8d896654a70fa46426690ca8926e0697061f
SSDEEP

1536:TGnHF3PKBF8cRjz1HR9HlKGDnIiRlgrquiZ7HxGIo3/e7pKGPXlagvH0Lraw3Rpl:TGnHF3P8u4VpDL/laSUjGU6xr9r0

Score

10^/10

arkei installs#1 stealer

Malware Config

Extracted

Family

arkei

Botnet

installs#1

91.245.225.43/NES9pWl5eL.php

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3c0ff1476f4da58cc85553ab15fa03cc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	3c0ff1476f4da58cc85553ab15fa03cc.exe

Executes dropped EXE 1 IoCs

Processes:

ssqq.exe

pid process

2636 ssqq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2636	ssqq.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3c0ff1476f4da58cc85553ab15fa03cc.exe

description	pid	process	target process
PID 2116 wrote to memory of 2636	2116	3c0ff1476f4da58cc85553ab15fa03cc.exe	ssqq.exe
PID 2116 wrote to memory of 2636	2116	3c0ff1476f4da58cc85553ab15fa03cc.exe	ssqq.exe
PID 2116 wrote to memory of 2636	2116	3c0ff1476f4da58cc85553ab15fa03cc.exe	ssqq.exe

C:\Users\Admin\AppData\Local\Temp\3c0ff1476f4da58cc85553ab15fa03cc.exe
"C:\Users\Admin\AppData\Local\Temp\3c0ff1476f4da58cc85553ab15fa03cc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\ssqq.exe
"C:\Users\Admin\AppData\Local\Temp\ssqq.exe"
2⤵
- Executes dropped EXE
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ssqq.exe
Filesize
93KB

MD5
bc0fa9eea5e4c3a2fa4a8a11516e51cf

SHA1
456197add38fe693d86d9a5254c966489bdc2d78

SHA256
67148bf6ac6d459c6e657905e0954c5830976b88917ce10b4e8ee2e8f183bd00

SHA512
a8250a5da40a3fb2dc73059255b2179f298d930209d9a56fa09e73da80eea157f698056ecf4bd66e61bd4dd024208ed0abf18fef70a56ba70a246b4778b0b10e

Download Submit
memory/2116-0-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/2116-2-0x00007FFB20E10000-0x00007FFB218D1000-memory.dmp

Filesize
10.8MB

Download
memory/2116-11-0x00007FFB20E10000-0x00007FFB218D1000-memory.dmp

Filesize
10.8MB

Download