Overview

overview

10

Static

static

hvnc.exe

windows7_x64

10

hvnc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    26-04-2022 17:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hvnc.exe

  • Size

    138KB

  • MD5

    bb434c347ca1709e54bee1a5d9a5757e

  • SHA1

    844b1f01f53eb6e8f8934880fa7f8994c4245dd4

  • SHA256

    0caa17db0c1d695ce4e5bc3f3fc7c9c2e7f96e489108e0303b81fa45efcf92bd

  • SHA512

    46b87c83ce85d44b152a5921b76f65af19fc93896bc8557b979c72ffdbaef3b21245f1c8aea75a5bd2125bc8df7485f2bcaf98d8b7ee0785c8c1496d08a571be

  • SSDEEP

    3072:PbvG5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yt:PbviS7BqjjYHdrqkL/

Score
10/10
arrowratkrck1rpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

KRCK1R

C2

185.183.35.38:1338

Mutex

4IA671

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hvnc.exe
    "C:\Users\Admin\AppData\Local\Temp\hvnc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3532
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA671
      2⤵
        PID:1540
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" KRCK1R 185.183.35.38 1338 4IA671
        2⤵
          PID:1488
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4000
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2624
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
        1⤵
          PID:2364

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        Peripheral Device Discovery

        2
        T1120

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1488-137-0x00000000060A0000-0x0000000006644000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1488-139-0x0000000006880000-0x00000000068D0000-memory.dmp
          Filesize

          320KB

          Download
        • memory/1488-132-0x0000000000400000-0x0000000000416000-memory.dmp
          Filesize

          88KB

          Download
        • memory/1488-133-0x00000000004101AE-mapping.dmp
          Download
        • memory/1488-138-0x00000000066C0000-0x0000000006726000-memory.dmp
          Filesize

          408KB

          Download
        • memory/1488-135-0x0000000005820000-0x00000000058B2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1488-136-0x00000000058C0000-0x000000000595C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/2624-150-0x000002CA6D970000-0x000002CA6D978000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2624-163-0x000002C200032000-0x000002C200036000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2624-168-0x000002C200036000-0x000002C200039000-memory.dmp
          Filesize

          12KB

          Download
        • memory/2624-148-0x000002CA6EB60000-0x000002CA6EB80000-memory.dmp
          Filesize

          128KB

          Download
        • memory/2624-149-0x000002CA6F800000-0x000002CA6F820000-memory.dmp
          Filesize

          128KB

          Download
        • memory/2624-167-0x000002C200036000-0x000002C200039000-memory.dmp
          Filesize

          12KB

          Download
        • memory/2624-155-0x000002CA6DC00000-0x000002CA6DD00000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2624-156-0x000002CA6DC00000-0x000002CA6DD00000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2624-158-0x000002CA6F740000-0x000002CA6F760000-memory.dmp
          Filesize

          128KB

          Download
        • memory/2624-160-0x000002C200032000-0x000002C200036000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2624-159-0x000002C200032000-0x000002C200036000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2624-161-0x000002C200032000-0x000002C200036000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2624-162-0x000002C200032000-0x000002C200036000-memory.dmp
          Filesize

          16KB

          Download
        • memory/2624-166-0x000002C200036000-0x000002C200039000-memory.dmp
          Filesize

          12KB

          Download
        • memory/2624-165-0x000002C200036000-0x000002C200039000-memory.dmp
          Filesize

          12KB

          Download
        • memory/3532-131-0x0000000000000000-mapping.dmp
          Download
        • memory/4684-134-0x00007FFBC90F0000-0x00007FFBC9BB1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4684-130-0x000001BC4ED30000-0x000001BC4ED58000-memory.dmp
          Filesize

          160KB

          Download