Analysis
-
max time kernel
138s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2023 00:59
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
158KB
-
MD5
1a6204ba18ed28ba84ae8a3299602bc8
-
SHA1
ca32927f6e8d86e326fda075f096b16fae482c88
-
SHA256
90093c647c4ef8f612e3e470c93debfb667aaf39073cd503cd670c6355dc474a
-
SHA512
375d332c572066e9296b8f87a0bf62309db02f6f82dc91c300099e3d7e3a004a9987b88c58ff1114fcf6588d960ef41b296eaed69db1a5cc0b8b78c7f546641c
-
SSDEEP
3072:gbzZDH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPjSO8Y:gbzZDe0ODhTEPgnjuIJzo+PPcfPjN8
Malware Config
Extracted
arrowrat
Client
3.142.167.4:14894
LFqZKjDAo
Signatures
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
file.exepid process 1780 file.exe 1780 file.exe 1780 file.exe 1780 file.exe 1780 file.exe 1780 file.exe 1780 file.exe 1780 file.exe 1780 file.exe 1780 file.exe 1780 file.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
file.exeexplorer.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1780 file.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: 33 1804 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1804 AUDIODG.EXE Token: 33 1804 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1804 AUDIODG.EXE Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe Token: SeShutdownPrivilege 1256 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
explorer.exepid process 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe 1256 explorer.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
file.exeexplorer.exedescription pid process target process PID 1780 wrote to memory of 1256 1780 file.exe explorer.exe PID 1780 wrote to memory of 1256 1780 file.exe explorer.exe PID 1780 wrote to memory of 1256 1780 file.exe explorer.exe PID 1780 wrote to memory of 1680 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1680 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1680 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1680 1780 file.exe cvtres.exe PID 1780 wrote to memory of 2024 1780 file.exe cvtres.exe PID 1780 wrote to memory of 2024 1780 file.exe cvtres.exe PID 1780 wrote to memory of 2024 1780 file.exe cvtres.exe PID 1780 wrote to memory of 2024 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1900 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1900 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1900 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1900 1780 file.exe cvtres.exe PID 1780 wrote to memory of 676 1780 file.exe cvtres.exe PID 1780 wrote to memory of 676 1780 file.exe cvtres.exe PID 1780 wrote to memory of 676 1780 file.exe cvtres.exe PID 1780 wrote to memory of 676 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1472 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1472 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1472 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1472 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1496 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1496 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1496 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1496 1780 file.exe cvtres.exe PID 1780 wrote to memory of 584 1780 file.exe cvtres.exe PID 1780 wrote to memory of 584 1780 file.exe cvtres.exe PID 1780 wrote to memory of 584 1780 file.exe cvtres.exe PID 1780 wrote to memory of 584 1780 file.exe cvtres.exe PID 1780 wrote to memory of 548 1780 file.exe cvtres.exe PID 1780 wrote to memory of 548 1780 file.exe cvtres.exe PID 1780 wrote to memory of 548 1780 file.exe cvtres.exe PID 1780 wrote to memory of 548 1780 file.exe cvtres.exe PID 1780 wrote to memory of 884 1780 file.exe cvtres.exe PID 1780 wrote to memory of 884 1780 file.exe cvtres.exe PID 1780 wrote to memory of 884 1780 file.exe cvtres.exe PID 1780 wrote to memory of 884 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1072 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1072 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1072 1780 file.exe cvtres.exe PID 1780 wrote to memory of 1072 1780 file.exe cvtres.exe PID 1256 wrote to memory of 1540 1256 explorer.exe ctfmon.exe PID 1256 wrote to memory of 1540 1256 explorer.exe ctfmon.exe PID 1256 wrote to memory of 1540 1256 explorer.exe ctfmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:1540
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:1680
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:2024
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:676
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:1496
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:548
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:884
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:1072
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:584
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:1472
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 3.142.167.4 14894 LFqZKjDAo2⤵PID:1900
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5201⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804