Overview

overview

10

Static

static

10

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    67s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2023 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    158KB

  • MD5

    c7c699eb8695a564fe0b400b1bf138ba

  • SHA1

    52e3be4428c5c2b42d64ba9bcc584472391157c5

  • SHA256

    0351128bc2273d12ca8042b029f9081c9205e2adad3a12f70a5696d23a6a036e

  • SHA512

    94c24a31cbf13d96fa0922769faa7210f0994dba80886591401b722808009301dee2ae9a0ff0386381f26e93f9e88713c0c3a3d73b4e3908b04094dfa6d97ba4

  • SSDEEP

    3072:TbzWH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPfOO8Y:TbzWe0ODhTEPgnjuIJzo+PPcfPfB8

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

147.185.221.16:24073

Mutex

GoeUqgRRx

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 147.185.221.16 24073 GoeUqgRRx
      2⤵
        PID:496
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3440
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3216
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 3216 -s 3912
        2⤵
        • Program crash
        PID:5008
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 428 -p 3216 -ip 3216
      1⤵
        PID:4100
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3692
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 3692 -s 3936
          2⤵
          • Program crash
          PID:3288
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 520 -p 3692 -ip 3692
        1⤵
          PID:3860
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:368
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 368 -s 3524
            2⤵
            • Program crash
            PID:1756
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 528 -p 368 -ip 368
          1⤵
            PID:1860
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:3016
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3016 -s 3596
              2⤵
              • Program crash
              PID:1328
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 544 -p 3016 -ip 3016
            1⤵
              PID:548
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4468
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 4468 -s 3500
                2⤵
                • Program crash
                PID:3280
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 520 -p 4468 -ip 4468
              1⤵
                PID:5072

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                bc0c3d8c7fd2d9e4c1cac28f314c2f28

                SHA1

                413955a43a3b93b642d86cc9eaea2068044dff26

                SHA256

                7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

                SHA512

                88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                bc0c3d8c7fd2d9e4c1cac28f314c2f28

                SHA1

                413955a43a3b93b642d86cc9eaea2068044dff26

                SHA256

                7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

                SHA512

                88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                bc0c3d8c7fd2d9e4c1cac28f314c2f28

                SHA1

                413955a43a3b93b642d86cc9eaea2068044dff26

                SHA256

                7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

                SHA512

                88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                bc0c3d8c7fd2d9e4c1cac28f314c2f28

                SHA1

                413955a43a3b93b642d86cc9eaea2068044dff26

                SHA256

                7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

                SHA512

                88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\30S018WW\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                bc0c3d8c7fd2d9e4c1cac28f314c2f28

                SHA1

                413955a43a3b93b642d86cc9eaea2068044dff26

                SHA256

                7844128387d5a78488ec57155f5a3ceb3beb4a2925d13dc715b911bc1353a225

                SHA512

                88dc028bdf120f442c380d13f4f3ea8800833ea276e37f8a6266603b3529ab149a4d353cf9de899e35e95bf0553dc689c44da1f14246167fcfe144c0f66d270f

                Download Submit

              • C:\Users\Admin\AppData\Roaming\temp0923
                Filesize

                10B

                MD5

                c4d508d49bf681a43bbf64dece3eabbc

                SHA1

                bdc6d482547c61214d5a8aa1766bf2bcdc86f57b

                SHA256

                d4a00118b028bb2978d027b69f72ecb515ca01bbe3c18d8f37ca10a2e2a2bc1b

                SHA512

                b14d68da21c74b1689b849dff08b364dfd0bf08599b612a27bb55e16f0d546795d75891807e76313c2e35f36230a63b146561c49920d2211817fdde3ff54ceed

                Download Submit

              • memory/368-204-0x000001C698870000-0x000001C698890000-memory.dmp

                Filesize

                128KB

                Download

              • memory/368-207-0x000001C698C80000-0x000001C698CA0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/368-203-0x000001C6988B0000-0x000001C6988D0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/496-142-0x0000000005750000-0x00000000057B6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/496-190-0x0000000074AF0000-0x00000000752A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/496-134-0x0000000000400000-0x0000000000418000-memory.dmp

                Filesize

                96KB

                Download

              • memory/496-137-0x0000000074AF0000-0x00000000752A0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/496-138-0x0000000004EA0000-0x0000000004F32000-memory.dmp

                Filesize

                584KB

                Download

              • memory/496-139-0x0000000004F40000-0x0000000004FDC000-memory.dmp

                Filesize

                624KB

                Download

              • memory/496-140-0x0000000005110000-0x0000000005120000-memory.dmp

                Filesize

                64KB

                Download

              • memory/496-145-0x0000000005FD0000-0x0000000006020000-memory.dmp

                Filesize

                320KB

                Download

              • memory/496-194-0x0000000005110000-0x0000000005120000-memory.dmp

                Filesize

                64KB

                Download

              • memory/496-141-0x00000000057D0000-0x0000000005D74000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2456-174-0x000001EB35370000-0x000001EB35380000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2456-136-0x000001EB35370000-0x000001EB35380000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2456-135-0x00007FFEF5780000-0x00007FFEF6241000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2456-172-0x00007FFEF5780000-0x00007FFEF6241000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2456-133-0x000001EB34F00000-0x000001EB34F2E000-memory.dmp

                Filesize

                184KB

                Download

              • memory/2776-150-0x0000000002E80000-0x0000000002E81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3016-225-0x000001CACE5D0000-0x000001CACE5F0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3016-227-0x000001CACE590000-0x000001CACE5B0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3016-230-0x000001CACE9A0000-0x000001CACE9C0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3216-159-0x00000226CC830000-0x00000226CC850000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3216-157-0x00000226CC870000-0x00000226CC890000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3216-163-0x00000226CCC40000-0x00000226CCC60000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3692-187-0x0000021C44020000-0x0000021C44040000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3692-185-0x0000021C43C20000-0x0000021C43C40000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3692-182-0x0000021C43C60000-0x0000021C43C80000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4468-248-0x000002042C640000-0x000002042C660000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4468-250-0x000002042C600000-0x000002042C620000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4468-255-0x000002042CA10000-0x000002042CA30000-memory.dmp

                Filesize

                128KB

                Download