Overview

overview

10

Static

static

3

MOQ_T7FIBA...F .scr

windows7-x64

10

MOQ_T7FIBA...F .scr

windows10-2004-x64

7

ORDER LIST...DF.scr

windows7-x64

10

ORDER LIST...DF.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2023 03:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER LIST_SEPT7FIBA00541·PDF.scr

  • Size

    670KB

  • MD5

    48a5e2b45923213e94a82d30db1eb988

  • SHA1

    eb3c3aeb61e6e20b149cbd966f60c81a8215e8b0

  • SHA256

    19fa9896468d7dd79d76fa27b34f66e13b6c5268cdd574c0a78eeb0e3dbeb839

  • SHA512

    13edc7b141a8bd854a07ec70371f6fe59055d1dfe4127e3912992181d983e710f990d0cfcaa294e5da8e37ab757efb93133382625e210c47823885586fc536da

  • SSDEEP

    12288:PBzhfOS3GXJNUwCpoOekXOS6zjwehALsCGlhcBd:phfOS3sJWwvOeYCras

Score
10/10
arrowratclientpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

192.159.99.3:1337

Mutex

qawNWRCCU

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER LIST_SEPT7FIBA00541·PDF.scr
    "C:\Users\Admin\AppData\Local\Temp\ORDER LIST_SEPT7FIBA00541·PDF.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /release
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /release
        3⤵
        • Gathers network information
        PID:2976
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig /renew
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /renew
        3⤵
        • Gathers network information
        PID:2656
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      2⤵
        PID:2792
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
          • Modifies Installed Components in the registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2536
          • C:\Windows\system32\ctfmon.exe
            ctfmon.exe
            4⤵
              PID:1396
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 192.159.99.3 1337 qawNWRCCU
            3⤵
              PID:2568

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1016-23-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1016-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1016-2-0x00000000005D0000-0x0000000000620000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1016-3-0x0000000004A10000-0x0000000004A50000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1016-4-0x00000000004C0000-0x00000000004FE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1016-5-0x00000000009A0000-0x00000000009EC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1016-6-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1016-7-0x0000000004A10000-0x0000000004A50000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1016-0-0x0000000000AB0000-0x0000000000B5E000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2468-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2468-39-0x0000000004AD0000-0x0000000004B10000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2468-10-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2468-18-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2468-8-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2468-20-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2468-22-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2468-14-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2468-24-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2468-47-0x0000000004AD0000-0x0000000004B10000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2468-46-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2468-12-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2536-45-0x0000000003E60000-0x0000000003E61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2536-50-0x0000000003E60000-0x0000000003E61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2568-34-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2568-25-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2568-38-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2568-36-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2568-27-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2568-40-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2568-29-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2568-31-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2568-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2568-48-0x0000000074560000-0x0000000074C4E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2568-49-0x0000000004800000-0x0000000004840000-memory.dmp

          Filesize

          256KB

          Download