Resubmissions
27-07-2024 01:26
240727-btjhqs1bqc 321-02-2023 10:55
230221-m1mdragd5y 121-02-2023 10:48
230221-mwehcaee59 10Analysis
-
max time kernel
234s -
max time network
244s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
21-02-2023 10:48
General
-
Target
PandorahVNC.exe
-
Size
121.7MB
-
MD5
7e0c8dba7497c6c4239531073a04628e
-
SHA1
d82c10b1ed2527f971b2c63e75c15a6b746119b0
-
SHA256
100dc0db633b1dea1a0c5012f2364ff0d201ff203de1ea3820f432fc51751652
-
SHA512
e8e79732885f4f38c15fe1e78e740b0678de64c5b8875f590678eca8229190ab84be04724f934037a8837238431c1c0b5809eebdc5e0ee8eb610be012996b722
-
SSDEEP
3145728:Rlhah9cOLbrHMevdE5x89uYrM0cqgW05zaWPP:p09cOnrBdE5x50ce0
Malware Config
Extracted
arrowrat
Client
10.127.0.177:1337
dDfknvgAH
Signatures
-
ArrowRat
Remote access tool with various capabilities first seen in late 2021.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 35 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5ee6fe9d2eec3e7c24e47a243b6ef0bd8
SHA19f4da1d3fb08fe871bad36bdfcb88f01d8e3daaf
SHA256274b12d01a916d7c10beca3448f443868624cf121b5e68a7340fe4c280aa2420
SHA51266f84b8c75c094e1f40790614f7a50241bbe0c4bc9d58dfc6248f846cc902fa6fa1813512b195f62a3fdd8a1c60933a8317ebc90df79357b11605d1580087838
-
Filesize
157KB
MD54d764fab01ffda078259455f763562d9
SHA1c5907abdff385d62df8d37a21158c4b4bb485014
SHA25698f1b39676315d8f6797305d49444be82ccc2c935007dd97b20282cb804d3b6a
SHA512c38b30a615d20f7d5c2220b8dd45e608b55a89ee4d40f5a32e16c2ea376c2b6c767d1c660f388b8f985eaab020fdeeae1a2bb18474dc32ee31870c2d6899b67a
-
Filesize
224KB
-
Filesize
128KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
40KB
-
Filesize
184KB
-
Filesize
16.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
680KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
72KB