Overview

overview

10

Static

static

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2022 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    281KB

  • MD5

    e005c377c3afa1c769c875439bbf1aec

  • SHA1

    e3b472abcae46c5da33e04d94ede7f6ffb082863

  • SHA256

    ecff5e9fc6e4fc922ae7c0a4d111350b4625edb6755209101aa7152732b28f0b

  • SHA512

    010a4db5181598bc0a0a1f7d721948c16f4a815037c2710bd59b59013b67b81a0f1532b5e97ffd5edc52c2e49fdf1cda2a85b20a625bcce51f8c91b9598ccbd2

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

20.100.171.81:1337

Mutex

XWIEUOzKz

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1904
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 20.100.171.81 1337 XWIEUOzKz
        3⤵
          PID:384
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3584
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/384-141-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/384-142-0x0000000005E10000-0x0000000005E76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/384-143-0x00000000066D0000-0x0000000006720000-memory.dmp

      Filesize

      320KB

      Download

    • memory/396-132-0x00000000004F0000-0x000000000053C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/396-133-0x0000000005400000-0x00000000059A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/396-134-0x0000000004EF0000-0x0000000004F82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/396-135-0x0000000005080000-0x000000000508A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4292-137-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4292-138-0x0000000004FE0000-0x000000000507C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4524-160-0x000001DE12230000-0x000001DE12330000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4524-239-0x000001DE13190000-0x000001DE13290000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4524-154-0x000001DDFE290000-0x000001DDFE298000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4524-165-0x000001DE01780000-0x000001DE017A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4524-176-0x000001DE021F0000-0x000001DE02210000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4524-234-0x000001DE0223B000-0x000001DE0223E000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4524-235-0x000001DE0223B000-0x000001DE0223E000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4524-236-0x000001DE0223B000-0x000001DE0223E000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4524-237-0x000001DE0223B000-0x000001DE0223E000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4524-157-0x000001DE02170000-0x000001DE02190000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4524-240-0x000001DE13190000-0x000001DE13290000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4524-248-0x000001DE02230000-0x000001DE02234000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4524-247-0x000001DE02230000-0x000001DE02234000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4524-246-0x000001DE02230000-0x000001DE02234000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4524-245-0x000001DE02230000-0x000001DE02234000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4524-244-0x000001DE02230000-0x000001DE02234000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4524-252-0x000001DE02234000-0x000001DE02237000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4524-253-0x000001DE02234000-0x000001DE02237000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4524-251-0x000001DE02234000-0x000001DE02237000-memory.dmp

      Filesize

      12KB

      Download