Analysis
-
max time kernel
1799s -
max time network
1806s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
18-07-2023 10:52
General
-
Target
ClientH.exe
-
Size
90KB
-
MD5
5ac5cf4a09a5c6dfd82669a0e24f675d
-
SHA1
4f0993bfd2245da594000bb7c2d2bd7d02b60d53
-
SHA256
6136b0b9b28b52962f090cdf34ac650c4b184f3a65e863e2051cdc1219aff051
-
SHA512
e0317cf9a5a495f5e90a88f4a96517626a30c016b7374db41bc79a8bcb0920fcf7691ca3cf48c712b8bc2db075d734ca7cacc771e8f604297600187afe314d3f
-
SSDEEP
1536:dbRiQMB57SK3bUzZdQ1iIMvnZlbLxjV3AGq5gWlocT1wzySsd9NJ33a:dbRO57SKsstcnZTJQDgWPaySsdH5K
Malware Config
Extracted
arrowrat
VenomHVNC
wasted9sss1-57562.portmap.host:57562
uSzDNutNI.exe
Signatures
-
ArrowRat
Remote access tool with various capabilities first seen in late 2021.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies registry class 5 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 28 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ClientH.exe"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC wasted9sss1-57562.portmap.host 57562 uSzDNutNI.exe2⤵
-
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Desktop\DenyRestart.reg"1⤵
- Runs .reg file with regedit
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\TraceMount.aiff"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
2.7MB
-
Filesize
96KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
116KB
-
Filesize
68KB
-
Filesize
2.0MB
-
Filesize
16.7MB
-
Filesize
252KB
-
Filesize
132KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
108KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
192KB
-
Filesize
412KB
-
Filesize
444KB
-
Filesize
68KB
-
Filesize
344KB
-
Filesize
160KB
-
Filesize
144KB
-
Filesize
92KB
-
Filesize
140KB
-
Filesize
68KB
-
Filesize
72KB
-
Filesize
132KB
-
Filesize
76KB
-
Filesize
72KB
-
Filesize
1.2MB
-
Filesize
176KB
-
Filesize
1.7MB
-
Filesize
368KB
-
Filesize
68KB
-
Filesize
604KB
-
Filesize
72KB
-
Filesize
2.2MB
-
Filesize
1.1MB
-
Filesize
212KB
-
Filesize
148KB
-
Filesize
68KB
-
Filesize
388KB
-
Filesize
68KB
-
Filesize
72KB
-
Filesize
76KB
-
Filesize
636KB
-
Filesize
68KB