arrowrat | 6da2463344288a1cf81824cd298a9b0174d4047338e3aee709f571778a36975e

Analysis

max time kernel
150s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2023 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume1/Users/strial_tenant/Downloads/script1.ps1
Size

457KB
MD5

6cf32568a97a0cb8fe75acbe6cac8db2
SHA1

80e1d3113e12220910c5419abfa35aeaa7f3a0b1
SHA256

e34d98ea875e0ba6842ad296ebf6ea8fc908c6988fe50d7bf5cbb86787d73171
SHA512

5571adfcb274c58acae6b2dd629efe470fed23c3732507f15a46d5b00a99f186f922a0797ef1ccd0de8d5b7681f305521d1edebf990726bbf5fa5a8b464b0ddb
SSDEEP

6144:UVDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nxX:mnND98MDe

Score

10^/10

arrowrat client rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

185.252.178.121:1337

Mutex

qCDAaGyIF

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 4532	760	powershell.exe	118

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1908	powershell.exe
1908	powershell.exe
4880	powershell.exe
4880	powershell.exe
760	powershell.exe
760	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeIncreaseQuotaPrivilege	4880	powershell.exe
Token: SeSecurityPrivilege	4880	powershell.exe
Token: SeTakeOwnershipPrivilege	4880	powershell.exe
Token: SeLoadDriverPrivilege	4880	powershell.exe
Token: SeSystemProfilePrivilege	4880	powershell.exe
Token: SeSystemtimePrivilege	4880	powershell.exe
Token: SeProfSingleProcessPrivilege	4880	powershell.exe
Token: SeIncBasePriorityPrivilege	4880	powershell.exe
Token: SeCreatePagefilePrivilege	4880	powershell.exe
Token: SeBackupPrivilege	4880	powershell.exe
Token: SeRestorePrivilege	4880	powershell.exe
Token: SeShutdownPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeSystemEnvironmentPrivilege	4880	powershell.exe
Token: SeRemoteShutdownPrivilege	4880	powershell.exe
Token: SeUndockPrivilege	4880	powershell.exe
Token: SeManageVolumePrivilege	4880	powershell.exe
Token: 33	4880	powershell.exe
Token: 34	4880	powershell.exe
Token: 35	4880	powershell.exe
Token: 36	4880	powershell.exe
Token: SeIncreaseQuotaPrivilege	4880	powershell.exe
Token: SeSecurityPrivilege	4880	powershell.exe
Token: SeTakeOwnershipPrivilege	4880	powershell.exe
Token: SeLoadDriverPrivilege	4880	powershell.exe
Token: SeSystemProfilePrivilege	4880	powershell.exe
Token: SeSystemtimePrivilege	4880	powershell.exe
Token: SeProfSingleProcessPrivilege	4880	powershell.exe
Token: SeIncBasePriorityPrivilege	4880	powershell.exe
Token: SeCreatePagefilePrivilege	4880	powershell.exe
Token: SeBackupPrivilege	4880	powershell.exe
Token: SeRestorePrivilege	4880	powershell.exe
Token: SeShutdownPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeSystemEnvironmentPrivilege	4880	powershell.exe
Token: SeRemoteShutdownPrivilege	4880	powershell.exe
Token: SeUndockPrivilege	4880	powershell.exe
Token: SeManageVolumePrivilege	4880	powershell.exe
Token: 33	4880	powershell.exe
Token: 34	4880	powershell.exe
Token: 35	4880	powershell.exe
Token: 36	4880	powershell.exe
Token: SeIncreaseQuotaPrivilege	4880	powershell.exe
Token: SeSecurityPrivilege	4880	powershell.exe
Token: SeTakeOwnershipPrivilege	4880	powershell.exe
Token: SeLoadDriverPrivilege	4880	powershell.exe
Token: SeSystemProfilePrivilege	4880	powershell.exe
Token: SeSystemtimePrivilege	4880	powershell.exe
Token: SeProfSingleProcessPrivilege	4880	powershell.exe
Token: SeIncBasePriorityPrivilege	4880	powershell.exe
Token: SeCreatePagefilePrivilege	4880	powershell.exe
Token: SeBackupPrivilege	4880	powershell.exe
Token: SeRestorePrivilege	4880	powershell.exe
Token: SeShutdownPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeSystemEnvironmentPrivilege	4880	powershell.exe
Token: SeRemoteShutdownPrivilege	4880	powershell.exe
Token: SeUndockPrivilege	4880	powershell.exe
Token: SeManageVolumePrivilege	4880	powershell.exe
Token: 33	4880	powershell.exe
Token: 34	4880	powershell.exe
Token: 35	4880	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 4184	1908	powershell.exe	86
PID 1908 wrote to memory of 4184	1908	powershell.exe	86
PID 4184 wrote to memory of 228	4184	WScript.exe	87
PID 4184 wrote to memory of 228	4184	WScript.exe	87
PID 228 wrote to memory of 4880	228	cmd.exe	89
PID 228 wrote to memory of 4880	228	cmd.exe	89
PID 3712 wrote to memory of 4508	3712	WScript.exe	115
PID 3712 wrote to memory of 4508	3712	WScript.exe	115
PID 4508 wrote to memory of 760	4508	cmd.exe	117
PID 4508 wrote to memory of 760	4508	cmd.exe	117
PID 760 wrote to memory of 4532	760	powershell.exe	118
PID 760 wrote to memory of 4532	760	powershell.exe	118
PID 760 wrote to memory of 4532	760	powershell.exe	118
PID 760 wrote to memory of 4532	760	powershell.exe	118
PID 760 wrote to memory of 4532	760	powershell.exe	118
PID 760 wrote to memory of 4532	760	powershell.exe	118
PID 760 wrote to memory of 4532	760	powershell.exe	118
PID 760 wrote to memory of 4532	760	powershell.exe	118

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\strial_tenant\Downloads\script1.ps1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Unlimited\ISO\Binnot.bat

Filesize
96B

MD5
f1d747a7825a5db756d428a5254d244e

SHA1
7db56fe57492bd856c787cd2a836eff4f2ce5e01

SHA256
5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf

SHA512
4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.ps1

Filesize
781B

MD5
58ef18971b1520648e0c6d67036251ff

SHA1
68bd1ee657ff233f6a1ee453914aaecdeb845284

SHA256
226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3

SHA512
9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2

Download Submit
C:\ProgramData\Unlimited\ISO\Binnot.vbs

Filesize
204B

MD5
8444901b66d6f83f3a684f1b44646868

SHA1
69c9c40aef3734959b4ce5f07005bf13c07646f9

SHA256
cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da

SHA512
7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.bat

Filesize
99B

MD5
eff64d56c40c54a1f9891d7a6ad54899

SHA1
dbaf9a4aeb8484690d6118155d59158598f0799a

SHA256
c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2

SHA512
c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.ps1

Filesize
455KB

MD5
e1bb0ce912e111d3b891de922e21a739

SHA1
8ae8856cb82f3340b2b2b1a06b3123b549005549

SHA256
5f79c8a3a6ff96ae8ccf96dfc486ae1f5e8edeabb663e6f90be89aeb727457cc

SHA512
bbb85cb9160a52d1bf464b7b459caaf9f808407031c423790be65e820fc8cce39c99c6096110228e8a8b33ddf5bff75350cbda2f6b01fc500f5169a4142528bf

Download Submit
C:\ProgramData\Unlimited\ISO\Unlimited.vbs

Filesize
207B

MD5
c281573a4f6f6ac5b06f2e9436400093

SHA1
c2699e56b7c26ac9cdfe1f500b49151b69bd6ad8

SHA256
3c312f2547fbc4a3ffe5c1b6d91c03494d7653fd758d886473f2ae6656de11f7

SHA512
76aed1be4b48d2fc019c9136eb74b3a96b56b89c74cb3b3347f8eefc592fee24a2a94ea3babd4b394080c7663864781c89afe761e59f8d65aed147d1ed422026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3003448ee73abf14d5c8011a37c40600

SHA1
b88e9cdbae2e27a25f0858fc0b6d79533fb160d8

SHA256
ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a

SHA512
0fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
62ba4ea474aa0661cb364833cd6f342e

SHA1
bedea24ce0ef32bd8396e3b8f1fc6c2f27d49420

SHA256
2c470425abe0953386b291a5539ce6530beb77d03743356c6606de1332dedad5

SHA512
b97f14afab17976e43fbb953bea4a1b1fb98f15efd9267fca7e67cf23ed53bdeb5b9b6d2e3b7fca7df858b9f1d154da62200d4819d2eeab39aa998352211f621

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cluxrgei.olm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/760-191-0x0000018D13790000-0x0000018D137A0000-memory.dmp

Filesize
64KB

Download
memory/760-190-0x0000018D13790000-0x0000018D137A0000-memory.dmp

Filesize
64KB

Download
memory/760-189-0x0000018D13790000-0x0000018D137A0000-memory.dmp

Filesize
64KB

Download
memory/1908-138-0x0000028D1D6E0000-0x0000028D1D702000-memory.dmp

Filesize
136KB

Download
memory/1908-143-0x0000028D1CD20000-0x0000028D1CD30000-memory.dmp

Filesize
64KB

Download
memory/1908-156-0x0000028D1D710000-0x0000028D1D758000-memory.dmp

Filesize
288KB

Download
memory/1908-144-0x0000028D1CD20000-0x0000028D1CD30000-memory.dmp

Filesize
64KB

Download
memory/1908-145-0x0000028D1CD20000-0x0000028D1CD30000-memory.dmp

Filesize
64KB

Download
memory/4532-192-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4532-194-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/4880-174-0x000001E6D7AC0000-0x000001E6D7AD0000-memory.dmp

Filesize
64KB

Download
memory/4880-173-0x000001E6D7AC0000-0x000001E6D7AD0000-memory.dmp

Filesize
64KB

Download
memory/4880-172-0x000001E6D7AC0000-0x000001E6D7AD0000-memory.dmp

Filesize
64KB

Download
memory/4880-171-0x000001E6D7AC0000-0x000001E6D7AD0000-memory.dmp

Filesize
64KB

Download