arrowrat | d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2

General

Target

d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
Size

409KB
MD5

3aca4d9a22354045ff6fdcd0e666c585
SHA1

66f89e387b82cdba9f33c9120bd9062ec49626b1
SHA256

d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2
SHA512

49e58b10b708a0e6c50c93d54b0c3ee20afb2f04ccbde3879964bc134e7acf5deaeb3a3ed49db2b295f5eb63b9cc36f4dda91523ad9004a4a2f9d75dd1311b9c
SSDEEP

12288:s2oYr2iNix8e9TUUncNqJ8F2DbboP6252WjQYT:s2oYr1kxf9TUU1i4Hk64djt

Score

10^/10

arrowrat cscxmg evasion persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

CSCXMG

C2

185.143.223.73:1338

Mutex

584MAK

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1416 set thread context of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1092 set thread context of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: 33	1696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1696	AUDIODG.EXE
Token: 33	1696	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1696	AUDIODG.EXE
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe
Token: SeShutdownPrivilege	1692	explorer.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe
1692	explorer.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1416 wrote to memory of 1092	1416	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	27
PID 1092 wrote to memory of 1692	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	28
PID 1092 wrote to memory of 1692	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	28
PID 1092 wrote to memory of 1692	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	28
PID 1092 wrote to memory of 1692	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	28
PID 1692 wrote to memory of 820	1692	explorer.exe	29
PID 1692 wrote to memory of 820	1692	explorer.exe	29
PID 1692 wrote to memory of 820	1692	explorer.exe	29
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30
PID 1092 wrote to memory of 1940	1092	d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe	30

C:\Users\Admin\AppData\Local\Temp\d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
"C:\Users\Admin\AppData\Local\Temp\d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
  "{path}"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" CSCXMG 185.143.223.73 1338 584MAK
    3⤵
    PID:1940

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-67-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1092-69-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1092-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1092-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1092-60-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1092-62-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1092-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1416-54-0x0000000000FE0000-0x000000000104C000-memory.dmp

Filesize
432KB

Download
memory/1416-57-0x0000000004D00000-0x0000000004D6E000-memory.dmp

Filesize
440KB

Download
memory/1416-56-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/1416-58-0x0000000000B30000-0x0000000000B5A000-memory.dmp

Filesize
168KB

Download
memory/1416-55-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1692-72-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/1940-82-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1940-75-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1940-77-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1940-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1940-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1940-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1940-74-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads