arkei | a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d

General

Target

a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe
Size

312KB
MD5

ae68f525110174d36fd0a78f728ec1ac
SHA1

a1e118f23dfc15269400bd059d5960caf01a6ebe
SHA256

a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d
SHA512

acdb4617b5c8aca3cab43d5af963f076d14bd9a55b4b0ad95f65490ee125022424453a1b0fd71776205027b1fc266e5918db44a7b81bb0d29befb34b1d8d741b
SSDEEP

6144:yMNCha6O+chMWnhE/deKaG6+9DzZzNIT9OsUp9kBbCSCH/:yMNCha6O+EMcKFJ6+93ZuokBWS

Score

10^/10

arkei njrat default evasion persistence stealer trojan

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2584 netsh.exe

pid	process
2584	netsh.exe

Drops startup file 2 IoCs

Processes:

Javaupdt.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee29faf3a82dae4ce355ef93c3d73702.exe	Javaupdt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee29faf3a82dae4ce355ef93c3d73702.exe	Javaupdt.exe

Executes dropped EXE 3 IoCs

Processes:

LocalrjJXIAUZat.exeLocalXOdtfnFxis.exeJavaupdt.exe

pid process

2600 LocalrjJXIAUZat.exe
2520 LocalXOdtfnFxis.exe
2580 Javaupdt.exe
Loads dropped DLL 6 IoCs

Processes:

WerFault.exeLocalrjJXIAUZat.exe

pid process

2448 WerFault.exe
2448 WerFault.exe
2448 WerFault.exe
2448 WerFault.exe
2600 LocalrjJXIAUZat.exe
2600 LocalrjJXIAUZat.exe

pid	process
2600	LocalrjJXIAUZat.exe
2520	LocalXOdtfnFxis.exe
2580	Javaupdt.exe

pid	process
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2600	LocalrjJXIAUZat.exe
2600	LocalrjJXIAUZat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Javaupdt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\ee29faf3a82dae4ce355ef93c3d73702 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Javaupdt.exe\" .."	Javaupdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ee29faf3a82dae4ce355ef93c3d73702 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Javaupdt.exe\" .."	Javaupdt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2448 2520 WerFault.exe LocalXOdtfnFxis.exe

pid	pid_target	process	target process
2448	2520	WerFault.exe	LocalXOdtfnFxis.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

LocalrjJXIAUZat.exeJavaupdt.exe

description	pid	process
Token: SeDebugPrivilege	2600	LocalrjJXIAUZat.exe
Token: SeDebugPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exeLocalXOdtfnFxis.exeLocalrjJXIAUZat.exeJavaupdt.exe

description	pid	process	target process
PID 3040 wrote to memory of 2600	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	LocalrjJXIAUZat.exe
PID 3040 wrote to memory of 2600	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	LocalrjJXIAUZat.exe
PID 3040 wrote to memory of 2600	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	LocalrjJXIAUZat.exe
PID 3040 wrote to memory of 2600	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	LocalrjJXIAUZat.exe
PID 3040 wrote to memory of 2520	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	LocalXOdtfnFxis.exe
PID 3040 wrote to memory of 2520	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	LocalXOdtfnFxis.exe
PID 3040 wrote to memory of 2520	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	LocalXOdtfnFxis.exe
PID 3040 wrote to memory of 2520	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	LocalXOdtfnFxis.exe
PID 2520 wrote to memory of 2448	2520	LocalXOdtfnFxis.exe	WerFault.exe
PID 2520 wrote to memory of 2448	2520	LocalXOdtfnFxis.exe	WerFault.exe
PID 2520 wrote to memory of 2448	2520	LocalXOdtfnFxis.exe	WerFault.exe
PID 2520 wrote to memory of 2448	2520	LocalXOdtfnFxis.exe	WerFault.exe
PID 2600 wrote to memory of 2580	2600	LocalrjJXIAUZat.exe	Javaupdt.exe
PID 2600 wrote to memory of 2580	2600	LocalrjJXIAUZat.exe	Javaupdt.exe
PID 2600 wrote to memory of 2580	2600	LocalrjJXIAUZat.exe	Javaupdt.exe
PID 2600 wrote to memory of 2580	2600	LocalrjJXIAUZat.exe	Javaupdt.exe
PID 2580 wrote to memory of 2584	2580	Javaupdt.exe	netsh.exe
PID 2580 wrote to memory of 2584	2580	Javaupdt.exe	netsh.exe
PID 2580 wrote to memory of 2584	2580	Javaupdt.exe	netsh.exe
PID 2580 wrote to memory of 2584	2580	Javaupdt.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe
"C:\Users\Admin\AppData\Local\Temp\a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\LocalrjJXIAUZat.exe
"C:\Users\Admin\AppData\LocalrjJXIAUZat.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe
"C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe" "Javaupdt.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2584

C:\Users\Admin\AppData\LocalXOdtfnFxis.exe
"C:\Users\Admin\AppData\LocalXOdtfnFxis.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 72
3⤵
- Loads dropped DLL
- Program crash
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalXOdtfnFxis.exe
Filesize
107KB

MD5
41c1fb2f4bd3c65cb0030b1f47a46084

SHA1
199420219f0096cfb156945a54933a03144da70d

SHA256
f335705b83540e68ddd17c68232c2f5ca67b0479cdc3ad8ff11931db6c134764

SHA512
93d4778a35b766b17824c62817421ac224027d6b699afde1281aaaedff7443d3d2c29d1ded98dc1dc318a67d51c2ad3f3b6df83b1c247da9e534f27ae7b0abfe

Download Submit
C:\Users\Admin\AppData\LocalrjJXIAUZat.exe
Filesize
104KB

MD5
4fe3cecb0627425f48b4832768beda71

SHA1
956c71fa6ccc7c7d3dd7b79d624117d580a7c7fb

SHA256
2c3cdb3cd330732b2dc485aee38d30b07ac006765b861adccc76b62aa29d2dff

SHA512
a9067a9c418c276423e5c5b18e474a070c641d729b83a84a40a6df6df670bda0a42d3c59e1c1310f6bff289327f53948ba721f6326d254a66b78723b634f413c

Download Submit
memory/2520-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-43-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-41-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2580-40-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-39-0x0000000000B30000-0x0000000000B70000-memory.dmp

Filesize
256KB

Download
memory/2580-37-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-21-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2600-22-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2600-20-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-38-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-19-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-17-0x00000000009C0000-0x0000000000A40000-memory.dmp

Filesize
512KB

Download
memory/3040-16-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-15-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads