General
-
Target
Cracked.exe
-
Size
2.4MB
-
Sample
230729-zfvkvafh4w
-
MD5
6eb284564aa7bd24f4f6df02ef05d185
-
SHA1
47f85ddc0b1a090d1852c37b2e2e1449e5b6db88
-
SHA256
2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb
-
SHA512
49e1a9584c74f32f9566d3c4ca31684c474ec260e50bd07b8d3c0a8ef3f3e70d10773952e5d219aa8c9076b86cddcefd242dfb91b507feeb06c5d69ba9e91179
-
SSDEEP
49152:Wm7ZuvKRXc8DJ2c2Xp95LBO1PJNNNQzgj7k/8E54IlDXRRtdQNH:D77P2XPOxJ9FcEq4IZXRRC
Static task
static1
Behavioral task
behavioral1
Sample
Cracked.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Cracked.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
arrowrat
Client
line-ellis.gl.at.ply.gg:10735
nAChhjAnR
Targets
-
-
Target
Cracked.exe
-
Size
2.4MB
-
MD5
6eb284564aa7bd24f4f6df02ef05d185
-
SHA1
47f85ddc0b1a090d1852c37b2e2e1449e5b6db88
-
SHA256
2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb
-
SHA512
49e1a9584c74f32f9566d3c4ca31684c474ec260e50bd07b8d3c0a8ef3f3e70d10773952e5d219aa8c9076b86cddcefd242dfb91b507feeb06c5d69ba9e91179
-
SSDEEP
49152:Wm7ZuvKRXc8DJ2c2Xp95LBO1PJNNNQzgj7k/8E54IlDXRRtdQNH:D77P2XPOxJ9FcEq4IZXRRC
Score10/10-
Modifies WinLogon for persistence
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1