Analysis
-
max time kernel
140s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-04-2022 17:49
Static task
static1
Behavioral task
behavioral1
Sample
hvnc.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
hvnc.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
hvnc.exe
-
Size
138KB
-
MD5
bb434c347ca1709e54bee1a5d9a5757e
-
SHA1
844b1f01f53eb6e8f8934880fa7f8994c4245dd4
-
SHA256
0caa17db0c1d695ce4e5bc3f3fc7c9c2e7f96e489108e0303b81fa45efcf92bd
-
SHA512
46b87c83ce85d44b152a5921b76f65af19fc93896bc8557b979c72ffdbaef3b21245f1c8aea75a5bd2125bc8df7485f2bcaf98d8b7ee0785c8c1496d08a571be
-
SSDEEP
3072:PbvG5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yt:PbviS7BqjjYHdrqkL/
Score
10/10
Malware Config
Extracted
Family
arrowrat
Botnet
KRCK1R
C2
185.183.35.38:1338
Mutex
4IA671
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
hvnc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\DNL4G7\\URZSPD.exe" hvnc.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
hvnc.exepid Process 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe 556 hvnc.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
hvnc.exeexplorer.exeAUDIODG.EXEdescription pid Process Token: SeDebugPrivilege 556 hvnc.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: 33 1940 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1940 AUDIODG.EXE Token: 33 1940 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1940 AUDIODG.EXE Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe Token: SeShutdownPrivilege 1992 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
explorer.exepid Process 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
explorer.exepid Process 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
hvnc.exeexplorer.exedescription pid Process procid_target PID 556 wrote to memory of 1992 556 hvnc.exe 28 PID 556 wrote to memory of 1992 556 hvnc.exe 28 PID 556 wrote to memory of 1992 556 hvnc.exe 28 PID 556 wrote to memory of 1836 556 hvnc.exe 29 PID 556 wrote to memory of 1836 556 hvnc.exe 29 PID 556 wrote to memory of 1836 556 hvnc.exe 29 PID 556 wrote to memory of 1836 556 hvnc.exe 29 PID 556 wrote to memory of 804 556 hvnc.exe 30 PID 556 wrote to memory of 804 556 hvnc.exe 30 PID 556 wrote to memory of 804 556 hvnc.exe 30 PID 556 wrote to memory of 804 556 hvnc.exe 30 PID 556 wrote to memory of 908 556 hvnc.exe 31 PID 556 wrote to memory of 908 556 hvnc.exe 31 PID 556 wrote to memory of 908 556 hvnc.exe 31 PID 556 wrote to memory of 908 556 hvnc.exe 31 PID 556 wrote to memory of 900 556 hvnc.exe 32 PID 556 wrote to memory of 900 556 hvnc.exe 32 PID 556 wrote to memory of 900 556 hvnc.exe 32 PID 556 wrote to memory of 900 556 hvnc.exe 32 PID 556 wrote to memory of 1644 556 hvnc.exe 38 PID 556 wrote to memory of 1644 556 hvnc.exe 38 PID 556 wrote to memory of 1644 556 hvnc.exe 38 PID 556 wrote to memory of 1644 556 hvnc.exe 38 PID 556 wrote to memory of 1600 556 hvnc.exe 37 PID 556 wrote to memory of 1600 556 hvnc.exe 37 PID 556 wrote to memory of 1600 556 hvnc.exe 37 PID 556 wrote to memory of 1600 556 hvnc.exe 37 PID 556 wrote to memory of 1720 556 hvnc.exe 36 PID 556 wrote to memory of 1720 556 hvnc.exe 36 PID 556 wrote to memory of 1720 556 hvnc.exe 36 PID 556 wrote to memory of 1720 556 hvnc.exe 36 PID 556 wrote to memory of 1528 556 hvnc.exe 33 PID 556 wrote to memory of 1528 556 hvnc.exe 33 PID 556 wrote to memory of 1528 556 hvnc.exe 33 PID 556 wrote to memory of 1528 556 hvnc.exe 33 PID 556 wrote to memory of 1556 556 hvnc.exe 34 PID 556 wrote to memory of 1556 556 hvnc.exe 34 PID 556 wrote to memory of 1556 556 hvnc.exe 34 PID 556 wrote to memory of 1556 556 hvnc.exe 34 PID 556 wrote to memory of 1652 556 hvnc.exe 35 PID 556 wrote to memory of 1652 556 hvnc.exe 35 PID 556 wrote to memory of 1652 556 hvnc.exe 35 PID 556 wrote to memory of 1652 556 hvnc.exe 35 PID 1992 wrote to memory of 1460 1992 explorer.exe 39 PID 1992 wrote to memory of 1460 1992 explorer.exe 39 PID 1992 wrote to memory of 1460 1992 explorer.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\hvnc.exe"C:\Users\Admin\AppData\Local\Temp\hvnc.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:1460
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:1836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:1528
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:1556
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:1652
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:1720
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:1600
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA6712⤵PID:1644
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5501⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940