Overview

overview

10

Static

static

10

Arhvn.exe

windows7-x64

10

Arhvn.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Arhvn.exe

  • Size

    90KB

  • MD5

    65bac4256dde1c7d987afa8ef8e9a1c4

  • SHA1

    222922b2ba2f43cfc2049ca578b256d486fcf956

  • SHA256

    f51fe3720ba2e618cc10e6045a948880f6ca2c802466684332bf744e526059e7

  • SHA512

    7d08d19af3eff1a3899a4d039ba273ead5267e075af32b9755cd61ad5349bf6e6c87cbf9cca92893da7c4acecb42d9867f447f2139384e5de86b235c77125d27

  • SSDEEP

    1536:ubRiQMn57SK3bUzZdQ1iIMvnZlbLxjV3AGq5gWlocT1wzySsd9NJ33L:ubRA57SKsstcnZTJQDgWPaySsdH57

Score
10/10
arrowratarrowratpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

ArrowRAT

C2

arhvn.duckdns.org:5555

Mutex

fKHUsQQAb.exe

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Arhvn.exe
    "C:\Users\Admin\AppData\Local\Temp\Arhvn.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4508
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ArrowRAT arhvn.duckdns.org 5555 fKHUsQQAb.exe
      2⤵
        PID:3048
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3644
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4728
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3160
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3000
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2288
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3180
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZVGOYGA8\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        c31f790cfd02ef244af845fc39b43ad4

        SHA1

        947a1baf207f5bc852b97ed0eca9a029c58b5126

        SHA256

        5cf8b4a512238a819ac8e892709eb239e784c6fb6c70fdb8c05bc258962fe489

        SHA512

        135037a2d115efdab8b9fd4211289603115ee8ddfd6cda42b831a12984128e24dcb13ff7669b97077787743ef437a64e0bcb84bad7abe569af4403b4052b09f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{0A6AC72E-ED8C-C16F-38B6-05831557CF24}
        Filesize

        36KB

        MD5

        8aaad0f4eb7d3c65f81c6e6b496ba889

        SHA1

        231237a501b9433c292991e4ec200b25c1589050

        SHA256

        813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

        SHA512

        1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
        Filesize

        36KB

        MD5

        406347732c383e23c3b1af590a47bccd

        SHA1

        fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

        SHA256

        e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

        SHA512

        18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133415090929478846.txt
        Filesize

        75KB

        MD5

        62d81c2e1e8b21733f95af2a596e4b18

        SHA1

        91c005ecc5ae4171f450c43c02d1ba532b4474c6

        SHA256

        a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

        SHA512

        c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133415090929478846.txt
        Filesize

        75KB

        MD5

        62d81c2e1e8b21733f95af2a596e4b18

        SHA1

        91c005ecc5ae4171f450c43c02d1ba532b4474c6

        SHA256

        a5596f83717bf64653b95ffe6ec38f20e40fd928456d5e254a53a440804d80b6

        SHA512

        c7f349acf55694ff696750c30a25c265ff07ced95e4d2a88fa2829d047ca3b3007dc824613a8c403c7613085aca4212155afe03f8f237c0d7781fd87e1fb8a7c

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZVGOYGA8\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        c31f790cfd02ef244af845fc39b43ad4

        SHA1

        947a1baf207f5bc852b97ed0eca9a029c58b5126

        SHA256

        5cf8b4a512238a819ac8e892709eb239e784c6fb6c70fdb8c05bc258962fe489

        SHA512

        135037a2d115efdab8b9fd4211289603115ee8ddfd6cda42b831a12984128e24dcb13ff7669b97077787743ef437a64e0bcb84bad7abe569af4403b4052b09f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZVGOYGA8\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        c31f790cfd02ef244af845fc39b43ad4

        SHA1

        947a1baf207f5bc852b97ed0eca9a029c58b5126

        SHA256

        5cf8b4a512238a819ac8e892709eb239e784c6fb6c70fdb8c05bc258962fe489

        SHA512

        135037a2d115efdab8b9fd4211289603115ee8ddfd6cda42b831a12984128e24dcb13ff7669b97077787743ef437a64e0bcb84bad7abe569af4403b4052b09f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZVGOYGA8\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        c31f790cfd02ef244af845fc39b43ad4

        SHA1

        947a1baf207f5bc852b97ed0eca9a029c58b5126

        SHA256

        5cf8b4a512238a819ac8e892709eb239e784c6fb6c70fdb8c05bc258962fe489

        SHA512

        135037a2d115efdab8b9fd4211289603115ee8ddfd6cda42b831a12984128e24dcb13ff7669b97077787743ef437a64e0bcb84bad7abe569af4403b4052b09f5

        Download Submit

      • memory/2288-100-0x000002041A080000-0x000002041A0A0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2288-97-0x0000020419C70000-0x0000020419C90000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2288-93-0x0000020419CB0000-0x0000020419CD0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2644-0-0x0000000074A80000-0x0000000075230000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2644-6-0x0000000074A80000-0x0000000075230000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2644-3-0x0000000004C60000-0x0000000004CFC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2644-2-0x0000000005110000-0x00000000056B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2644-1-0x00000000000D0000-0x00000000000EC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/3000-82-0x0000020796040000-0x0000020796060000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3000-77-0x0000020796080000-0x00000207960A0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3000-84-0x0000020796450000-0x0000020796470000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3048-31-0x0000000074A80000-0x0000000075230000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3048-9-0x0000000005A50000-0x0000000005A60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3048-4-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3048-7-0x0000000074A80000-0x0000000075230000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3048-32-0x0000000005A50000-0x0000000005A60000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3048-8-0x0000000005780000-0x0000000005812000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3160-60-0x000002607CC50000-0x000002607CC70000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3160-58-0x000002607C5A0000-0x000002607C5C0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3160-55-0x000002607C800000-0x000002607C820000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3180-114-0x000001FF91070000-0x000001FF91090000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3180-117-0x000001FF91020000-0x000001FF91040000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3180-119-0x000001FF914B0000-0x000001FF914D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4508-10-0x0000000002A40000-0x0000000002A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4728-17-0x000002612E2B0000-0x000002612E2D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4728-19-0x000002612E270000-0x000002612E290000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4728-22-0x000002612E8C0000-0x000002612E8E0000-memory.dmp

        Filesize

        128KB

        Download