Overview

overview

10

Static

static

10

vnm/7z.exe

windows10-2004-x64

1

vnm/Plugin...er.exe

windows10-2004-x64

1

vnm/Stub/Client.exe

windows10-2004-x64

10

vnm/Stub/client.exe

windows10-2004-x64

10

vnm/VenomRAT_HVNC.exe

windows10-2004-x64

10

vnm/client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2023 18:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vnm/client.exe

  • Size

    144KB

  • MD5

    f4fdcb900e7af47100ac9e46945fbd55

  • SHA1

    c1d235a9a2cae8d5a8d4f6ceb4eab9417e1b1fb2

  • SHA256

    9160b90fa4a6a9cf22f943dba92cec64e2dc03c2317b5d9ab50a753fc410ce43

  • SHA512

    236eef98d4695a5e1224a87a1dc598639e5c49f6dd192a96cc1b9f8305faa57078deb62d73906a33ba1c1fac4fa5ccc5f344a0f196dbba718b76a36667984ac2

  • SSDEEP

    3072:Bsp9iv+DYM5ob0HGNSKsstcnZTJQDgWPaySsdH5boWz:Op9iTMSb0mgKFcQjhdH

Score
10/10
arrowratasyncrat%group%persistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

%Group%

C2

%Hosts%:%Ports%

Mutex

%MTX%

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vnm\client.exe
    "C:\Users\Admin\AppData\Local\Temp\vnm\client.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2840
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" %Group% %Hosts% %Ports% %MTX%
      2⤵
        PID:3024
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3544
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4996
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4996 -s 3880
        2⤵
        • Program crash
        PID:1216
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 428 -p 4996 -ip 4996
      1⤵
        PID:5008
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4060
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 4060 -s 3624
          2⤵
          • Program crash
          PID:3140
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 488 -p 4060 -ip 4060
        1⤵
          PID:748
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1484
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1484 -s 3984
            2⤵
            • Program crash
            PID:1008
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 524 -p 1484 -ip 1484
          1⤵
            PID:936
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:3828
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3828 -s 3564
              2⤵
              • Program crash
              PID:3656
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 524 -p 3828 -ip 3828
            1⤵
              PID:3620
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:4612
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 4612 -s 3544
                  2⤵
                  • Program crash
                  PID:1700
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -pss -s 536 -p 4612 -ip 4612
                1⤵
                  PID:4640

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  6b3c7df657dac84939df4efdd1a1c4c1

                  SHA1

                  570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                  SHA256

                  2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                  SHA512

                  79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133352171572366959.txt
                  Filesize

                  75KB

                  MD5

                  22f39923e2942e5a02c3a5f91cefd45b

                  SHA1

                  c33909cb5ae1ad55b18b38b6aedf79c5a2216e13

                  SHA256

                  66457d8ac009ef25f44e676156bc058db582b2a3b431e2589435bb27477328c6

                  SHA512

                  17a2afe32e74150e58080055f3e67d3d4892828d9df28905a0e67227055b61eeab2a4764acf0b701bc481568fac2ccb889b326379319723fae838f8ce09e94fd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133352171572366959.txt
                  Filesize

                  75KB

                  MD5

                  22f39923e2942e5a02c3a5f91cefd45b

                  SHA1

                  c33909cb5ae1ad55b18b38b6aedf79c5a2216e13

                  SHA256

                  66457d8ac009ef25f44e676156bc058db582b2a3b431e2589435bb27477328c6

                  SHA512

                  17a2afe32e74150e58080055f3e67d3d4892828d9df28905a0e67227055b61eeab2a4764acf0b701bc481568fac2ccb889b326379319723fae838f8ce09e94fd

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  6b3c7df657dac84939df4efdd1a1c4c1

                  SHA1

                  570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                  SHA256

                  2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                  SHA512

                  79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  6b3c7df657dac84939df4efdd1a1c4c1

                  SHA1

                  570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                  SHA256

                  2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                  SHA512

                  79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  6b3c7df657dac84939df4efdd1a1c4c1

                  SHA1

                  570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                  SHA256

                  2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                  SHA512

                  79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  6b3c7df657dac84939df4efdd1a1c4c1

                  SHA1

                  570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                  SHA256

                  2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                  SHA512

                  79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                  Download Submit

                • memory/1484-209-0x000001DD36060000-0x000001DD36080000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1484-211-0x000001DD36020000-0x000001DD36040000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1484-213-0x000001DD36430000-0x000001DD36450000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/2284-133-0x0000028C87680000-0x0000028C876AA000-memory.dmp

                  Filesize

                  168KB

                  Download

                • memory/2284-137-0x00007FF93F950000-0x00007FF940411000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2284-135-0x00007FF93F950000-0x00007FF940411000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2840-145-0x00000000037C0000-0x00000000037C1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3024-142-0x0000000005E30000-0x00000000063D4000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/3024-144-0x0000000074940000-0x00000000750F0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3024-134-0x0000000000400000-0x0000000000410000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3024-138-0x0000000074940000-0x00000000750F0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3024-139-0x00000000055F0000-0x0000000005682000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/3024-140-0x0000000005690000-0x000000000572C000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/3024-141-0x0000000005870000-0x0000000005880000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3828-233-0x0000021617700000-0x0000021617720000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/3828-231-0x0000021617740000-0x0000021617760000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/3828-236-0x0000021617B10000-0x0000021617B30000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4060-175-0x0000021C1FE00000-0x0000021C1FE20000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4060-173-0x0000021C1FE40000-0x0000021C1FE60000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4060-177-0x0000021C20210000-0x0000021C20230000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4612-252-0x000001C8C1F10000-0x000001C8C1F30000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4612-255-0x000001C8C1ED0000-0x000001C8C1EF0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4612-259-0x000001D0C3520000-0x000001D0C3540000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4996-152-0x0000027747E70000-0x0000027747E90000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4996-155-0x0000027747E30000-0x0000027747E50000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4996-157-0x0000027F49280000-0x0000027F492A0000-memory.dmp

                  Filesize

                  128KB

                  Download