Overview

overview

10

Static

static

10

PandoraClient.exe

windows7-x64

10

PandoraClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-08-2023 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PandoraClient.exe

  • Size

    138KB

  • MD5

    4649bb4b0cb232966683c589150ff119

  • SHA1

    d2165c3988dc382fbf1bfec9828f323a9ac9282b

  • SHA256

    41940020b7778a380f4d0907d4a95a8afe2108b3df3f7f73d7847d069ff29dcc

  • SHA512

    72061b043678530ab19d6d3438c5cfe9e0d1b653899292191e11dc9bae1b70401ca053cc146d9bd3cdae60a28e8451c552f3b880651bfd7cd3531cb2e491d4f9

  • SSDEEP

    3072:qbvR5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yn:qbv/S7BqjjYHdrqkL/

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

pandoravnc.duckdns.org:4046

Mutex

QMcrubGGd

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PandoraClient.exe
    "C:\Users\Admin\AppData\Local\Temp\PandoraClient.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3588
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client pandoravnc.duckdns.org 4046 QMcrubGGd
      2⤵
        PID:1908
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3468
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:828
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 828 -s 3964
        2⤵
        • Program crash
        PID:2964
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 428 -p 828 -ip 828
      1⤵
        PID:1084
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2816
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2816 -s 3548
          2⤵
          • Program crash
          PID:3696
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 424 -p 2816 -ip 2816
        1⤵
          PID:4604
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1940
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1940 -s 4040
            2⤵
            • Program crash
            PID:5008
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -pss -s 420 -p 1940 -ip 1940
          1⤵
            PID:3104
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4492
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 4492 -s 3616
              2⤵
              • Program crash
              PID:3912
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 420 -p 4492 -ip 4492
            1⤵
              PID:3348
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:2960
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 2960 -s 3564
                2⤵
                • Program crash
                PID:4328
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 416 -p 2960 -ip 2960
              1⤵
                PID:8
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                • Modifies registry class
                PID:1740

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                6b3c7df657dac84939df4efdd1a1c4c1

                SHA1

                570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                SHA256

                2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                SHA512

                79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}
                Filesize

                36KB

                MD5

                8aaad0f4eb7d3c65f81c6e6b496ba889

                SHA1

                231237a501b9433c292991e4ec200b25c1589050

                SHA256

                813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                SHA512

                1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
                Filesize

                36KB

                MD5

                406347732c383e23c3b1af590a47bccd

                SHA1

                fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

                SHA256

                e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

                SHA512

                18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133370429387953697.txt
                Filesize

                75KB

                MD5

                22f39923e2942e5a02c3a5f91cefd45b

                SHA1

                c33909cb5ae1ad55b18b38b6aedf79c5a2216e13

                SHA256

                66457d8ac009ef25f44e676156bc058db582b2a3b431e2589435bb27477328c6

                SHA512

                17a2afe32e74150e58080055f3e67d3d4892828d9df28905a0e67227055b61eeab2a4764acf0b701bc481568fac2ccb889b326379319723fae838f8ce09e94fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133370429387953697.txt
                Filesize

                75KB

                MD5

                22f39923e2942e5a02c3a5f91cefd45b

                SHA1

                c33909cb5ae1ad55b18b38b6aedf79c5a2216e13

                SHA256

                66457d8ac009ef25f44e676156bc058db582b2a3b431e2589435bb27477328c6

                SHA512

                17a2afe32e74150e58080055f3e67d3d4892828d9df28905a0e67227055b61eeab2a4764acf0b701bc481568fac2ccb889b326379319723fae838f8ce09e94fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                6b3c7df657dac84939df4efdd1a1c4c1

                SHA1

                570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                SHA256

                2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                SHA512

                79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                6b3c7df657dac84939df4efdd1a1c4c1

                SHA1

                570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                SHA256

                2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                SHA512

                79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K9G5AECL\microsoft.windows[1].xml
                Filesize

                97B

                MD5

                6b3c7df657dac84939df4efdd1a1c4c1

                SHA1

                570cdd50e12f70ec5ee6e6da38f88f6eb7682733

                SHA256

                2a975e69f7fb0acf7ca4c5af0c8704effb0fee770b91634b20d383f3122b8198

                SHA512

                79c02cda377d14c0b966b385e9a6f0357bfc9060a987cf0a181c41deb32c752f2768a073c5477379de94476379af189c296172cbe8621ac36cf045a04d7d16b0

                Download Submit

              • memory/828-159-0x0000015B34A70000-0x0000015B34A90000-memory.dmp

                Filesize

                128KB

                Download

              • memory/828-161-0x0000015B34E80000-0x0000015B34EA0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/828-156-0x0000015B34AB0000-0x0000015B34AD0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/1540-137-0x00007FF84FD00000-0x00007FF8507C1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1540-133-0x0000028F99320000-0x0000028F99348000-memory.dmp

                Filesize

                160KB

                Download

              • memory/1540-135-0x00007FF84FD00000-0x00007FF8507C1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1908-143-0x0000000005630000-0x0000000005696000-memory.dmp

                Filesize

                408KB

                Download

              • memory/1908-142-0x00000000056B0000-0x0000000005C54000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/1908-134-0x0000000000400000-0x0000000000416000-memory.dmp

                Filesize

                88KB

                Download

              • memory/1908-138-0x0000000075430000-0x0000000075BE0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1908-139-0x0000000004E50000-0x0000000004EE2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/1908-185-0x0000000075430000-0x0000000075BE0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1908-186-0x0000000002830000-0x0000000002840000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1908-140-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

                Filesize

                624KB

                Download

              • memory/1908-146-0x0000000005F00000-0x0000000005F50000-memory.dmp

                Filesize

                320KB

                Download

              • memory/1908-141-0x0000000002830000-0x0000000002840000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1940-216-0x00000246BBA50000-0x00000246BBA70000-memory.dmp

                Filesize

                128KB

                Download

              • memory/1940-214-0x00000246BB640000-0x00000246BB660000-memory.dmp

                Filesize

                128KB

                Download

              • memory/1940-211-0x00000246BB680000-0x00000246BB6A0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2816-182-0x0000025C13100000-0x0000025C13120000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2816-189-0x0000025C130C0000-0x0000025C130E0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2816-177-0x0000025C12D40000-0x0000025C12D60000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2816-179-0x0000025C12D00000-0x0000025C12D20000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2960-257-0x000001E9005E0000-0x000001E900600000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2960-254-0x000001E900920000-0x000001E900940000-memory.dmp

                Filesize

                128KB

                Download

              • memory/2960-260-0x000001E900D90000-0x000001E900DB0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/3588-149-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4492-237-0x0000017485880000-0x00000174858A0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4492-235-0x0000017485270000-0x0000017485290000-memory.dmp

                Filesize

                128KB

                Download

              • memory/4492-233-0x00000174852B0000-0x00000174852D0000-memory.dmp

                Filesize

                128KB

                Download