Analysis Overview
SHA256
6da2463344288a1cf81824cd298a9b0174d4047338e3aee709f571778a36975e
Threat Level: Known bad
The file script1.ps1 was found to be: Known bad.
Malicious Activity Summary
ArrowRat
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-07 08:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-07 08:22
Reported
2023-06-07 08:24
Platform
win7-20230220-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\strial_tenant\Downloads\script1.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
Network
Files
memory/1408-58-0x000000001B220000-0x000000001B502000-memory.dmp
memory/1408-59-0x0000000001CF0000-0x0000000001CF8000-memory.dmp
memory/1408-66-0x00000000028B0000-0x0000000002930000-memory.dmp
memory/1408-67-0x00000000028B0000-0x0000000002930000-memory.dmp
memory/1408-68-0x00000000028B0000-0x0000000002930000-memory.dmp
memory/1408-69-0x00000000028B0000-0x0000000002930000-memory.dmp
C:\ProgramData\Unlimited\ISO\Binnot.vbs
| MD5 | 8444901b66d6f83f3a684f1b44646868 |
| SHA1 | 69c9c40aef3734959b4ce5f07005bf13c07646f9 |
| SHA256 | cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da |
| SHA512 | 7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb |
C:\ProgramData\Unlimited\ISO\Binnot.bat
| MD5 | f1d747a7825a5db756d428a5254d244e |
| SHA1 | 7db56fe57492bd856c787cd2a836eff4f2ce5e01 |
| SHA256 | 5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf |
| SHA512 | 4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 82e15fd9b103646064e7f9312cf37164 |
| SHA1 | e09eac4c428b4885e005406770aa522f6cc00093 |
| SHA256 | d9b6a4c6bb1fe8b021fe606d974e9a1b3e428fb53c8588e527ec6fc94c1868bb |
| SHA512 | 66fefebd09139600fb781147d1e266091f158d37ca83900a0d88bb1c68bc09ee79e60f7f0b5a50580c59b18b4a172ed490b251eeb5210122e5e887166bb18b52 |
memory/780-79-0x000000001B1B0000-0x000000001B492000-memory.dmp
memory/780-80-0x0000000001FC0000-0x0000000001FC8000-memory.dmp
C:\ProgramData\Unlimited\ISO\Binnot.ps1
| MD5 | 58ef18971b1520648e0c6d67036251ff |
| SHA1 | 68bd1ee657ff233f6a1ee453914aaecdeb845284 |
| SHA256 | 226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3 |
| SHA512 | 9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2 |
memory/780-83-0x000000000259B000-0x00000000025D2000-memory.dmp
memory/780-82-0x0000000002594000-0x0000000002597000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-07 08:22
Reported
2023-06-07 08:24
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
ArrowRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 760 set thread context of 4532 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume1\Users\strial_tenant\Downloads\script1.ps1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\Unlimited\ISO\Binnot.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Binnot.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Binnot.ps1
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Unlimited\ISO\Unlimited.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Unlimited\ISO\Unlimited.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Unlimited\ISO\Unlimited.ps1
C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 173.223.113.131:80 | www.microsoft.com | tcp |
| HK | 20.24.193.65:443 | tcp | |
| US | 40.125.122.176:443 | tcp | |
| US | 8.8.8.8:53 | 131.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.137.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 52.182.143.210:443 | tcp | |
| IE | 20.82.209.183:443 | tcp | |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| IE | 20.82.209.183:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| IE | 20.82.209.183:443 | tcp | |
| US | 8.8.8.8:53 | 99.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.66.64.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.121.18.2.in-addr.arpa | udp |
Files
memory/1908-138-0x0000028D1D6E0000-0x0000028D1D702000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cluxrgei.olm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1908-145-0x0000028D1CD20000-0x0000028D1CD30000-memory.dmp
memory/1908-144-0x0000028D1CD20000-0x0000028D1CD30000-memory.dmp
memory/1908-143-0x0000028D1CD20000-0x0000028D1CD30000-memory.dmp
memory/1908-156-0x0000028D1D710000-0x0000028D1D758000-memory.dmp
C:\ProgramData\Unlimited\ISO\Binnot.vbs
| MD5 | 8444901b66d6f83f3a684f1b44646868 |
| SHA1 | 69c9c40aef3734959b4ce5f07005bf13c07646f9 |
| SHA256 | cfeaafc87ceec9986f37f6a42ecfa39260f98c951404df95da5e074141add5da |
| SHA512 | 7493b0d40c9c914c8968b42752b1d14d415e7bccff07f9bf2ab976d77517e12a456f142ee786527c4e536fab3e4156b21ce353f51f5925bbc405937ad7929bbb |
C:\ProgramData\Unlimited\ISO\Binnot.bat
| MD5 | f1d747a7825a5db756d428a5254d244e |
| SHA1 | 7db56fe57492bd856c787cd2a836eff4f2ce5e01 |
| SHA256 | 5863b76caee43b2f1efdd2322f2e5731b1537d1deeb35e860cd75a8304fe4ddf |
| SHA512 | 4b1f63df96b8f9e2a381855974b2efab5bd48ae342b1e29a51661d0514ba6f8e62d23e3e58a9a9f978d39880ab03a9b9bf72ab52a546a965da20daa18c4d246d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3003448ee73abf14d5c8011a37c40600 |
| SHA1 | b88e9cdbae2e27a25f0858fc0b6d79533fb160d8 |
| SHA256 | ae448d99735879ecee1dc3088c8f7553ebff461b96172d8f3cb5ff2fa2a12d4a |
| SHA512 | 0fe52614eec6d75a265ae380aaa1eb153bc35a1baae4d118637798575169d9dba5ad751efab5d7f5dbe9764bfb96e9ae76577a3487429a3383b5b08d5402fe3a |
C:\ProgramData\Unlimited\ISO\Binnot.ps1
| MD5 | 58ef18971b1520648e0c6d67036251ff |
| SHA1 | 68bd1ee657ff233f6a1ee453914aaecdeb845284 |
| SHA256 | 226b14799e579e28954937fa3ffdb7d0e5dcd10360b35c329a7246a23be4b4b3 |
| SHA512 | 9b7f04aca4b3e2af5aafdc9ea30c1722722d668078bea8b0aaa2394d0cb50ac75716fb9173d4084bd5a9cfaa279bd94404b64c140532daa5b3bdd66842f332d2 |
memory/4880-171-0x000001E6D7AC0000-0x000001E6D7AD0000-memory.dmp
memory/4880-172-0x000001E6D7AC0000-0x000001E6D7AD0000-memory.dmp
memory/4880-173-0x000001E6D7AC0000-0x000001E6D7AD0000-memory.dmp
memory/4880-174-0x000001E6D7AC0000-0x000001E6D7AD0000-memory.dmp
C:\ProgramData\Unlimited\ISO\Unlimited.vbs
| MD5 | c281573a4f6f6ac5b06f2e9436400093 |
| SHA1 | c2699e56b7c26ac9cdfe1f500b49151b69bd6ad8 |
| SHA256 | 3c312f2547fbc4a3ffe5c1b6d91c03494d7653fd758d886473f2ae6656de11f7 |
| SHA512 | 76aed1be4b48d2fc019c9136eb74b3a96b56b89c74cb3b3347f8eefc592fee24a2a94ea3babd4b394080c7663864781c89afe761e59f8d65aed147d1ed422026 |
C:\ProgramData\Unlimited\ISO\Unlimited.bat
| MD5 | eff64d56c40c54a1f9891d7a6ad54899 |
| SHA1 | dbaf9a4aeb8484690d6118155d59158598f0799a |
| SHA256 | c846b192c5dc974c6d63024a06d4c31b2f7c8baa61af133e5b00009b68df86e2 |
| SHA512 | c89f82c7807b947e10f82740c01d5cb996e95c4a6e79375eee6b981d0ed911d31537e964d0cefef874c7e12f9f4baf237f0f9ed44de866abd3c8030a25b7cc83 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62ba4ea474aa0661cb364833cd6f342e |
| SHA1 | bedea24ce0ef32bd8396e3b8f1fc6c2f27d49420 |
| SHA256 | 2c470425abe0953386b291a5539ce6530beb77d03743356c6606de1332dedad5 |
| SHA512 | b97f14afab17976e43fbb953bea4a1b1fb98f15efd9267fca7e67cf23ed53bdeb5b9b6d2e3b7fca7df858b9f1d154da62200d4819d2eeab39aa998352211f621 |
C:\ProgramData\Unlimited\ISO\Unlimited.ps1
| MD5 | e1bb0ce912e111d3b891de922e21a739 |
| SHA1 | 8ae8856cb82f3340b2b2b1a06b3123b549005549 |
| SHA256 | 5f79c8a3a6ff96ae8ccf96dfc486ae1f5e8edeabb663e6f90be89aeb727457cc |
| SHA512 | bbb85cb9160a52d1bf464b7b459caaf9f808407031c423790be65e820fc8cce39c99c6096110228e8a8b33ddf5bff75350cbda2f6b01fc500f5169a4142528bf |
memory/760-189-0x0000018D13790000-0x0000018D137A0000-memory.dmp
memory/760-190-0x0000018D13790000-0x0000018D137A0000-memory.dmp
memory/760-191-0x0000018D13790000-0x0000018D137A0000-memory.dmp
memory/4532-192-0x0000000000400000-0x000000000042C000-memory.dmp
memory/4532-194-0x00000000058A0000-0x0000000005E44000-memory.dmp