Overview

overview

10

Static

static

10

bSU4.exe

windows7-x64

10

bSU4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 05:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bSU4.exe

  • Size

    138KB

  • MD5

    4b1ce3fe71b14c655755251616d61766

  • SHA1

    9941994468ad58962f5063ae0d1998790b577744

  • SHA256

    63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8

  • SHA512

    dd87f5d2bb7a4a903981de9156e6249c514b138747300ceb84bf0e230c38010a34f51df17717b73c5e9dece2524c61ffcbe4015ec0b59e85c477aeb92d9530ae

  • SSDEEP

    3072:qbvF5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YM:qbvzS7BqjjYHdrqkL/

Score
10/10
arrowratsub70fpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

SUB70F

C2

instruments-george.gl.at.ply.gg:12129

Mutex

58PJXL

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bSU4.exe
    "C:\Users\Admin\AppData\Local\Temp\bSU4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4836
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
      2⤵
        PID:3932
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
        2⤵
          PID:3244
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
          2⤵
            PID:4288
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4720
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2064
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:5076
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4868
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3276
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3608
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:4580

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
            Filesize

            2KB

            MD5

            ad5bcfa0e4a4c46cca0c619674a1a8e9

            SHA1

            0671a97e6fc457b39aea9743a57c644bf72da9b9

            SHA256

            7fc9f67dc9f6e7fbca503c66e3caae78132ff78f85fb42879293b9b35002a7a9

            SHA512

            d8adce5dde104a357145f4536e9ace061bae22e2a8aa2cf330ad5083cb656c8c50b3f9ad2e350dbce7615474962ec77dedb0f55e041ec60f071f39c1d7083112

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_DATABASECOMPARE_EXE_15
            Filesize

            36KB

            MD5

            1d3c4e80c24cd236fa76a27435926362

            SHA1

            7dbb5cdcac2ba68296501209c9fe98edcca2d35f

            SHA256

            dbcdcb3b5da2fff40a182288466d41e376b9c578ffcae1c40e53e6b2b1162b2e

            SHA512

            b871c72d59f3422ef443502bdd0c955be46f34f599efb063dd5d8701902c390f8397df4d4d04699a03cc3326f4761a4d463df7ee8f7a32559ae0b0e39af41acf

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133496825424352966.txt
            Filesize

            74KB

            MD5

            c09e63e4b960a163934b3c29f3bd2cc9

            SHA1

            d3a43b35c14ae2e353a1a15c518ab2595f6a0399

            SHA256

            308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

            SHA512

            5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0A55C1OB\microsoft.windows[1].xml
            Filesize

            97B

            MD5

            291a3f3ebf21195c8af7c2f120ca4dfc

            SHA1

            1cade2dac000db3bca92e2daee371beffd2c0bee

            SHA256

            fbe32bda6ca669397ca6d02b329f235aee87a8f36b09a589548e969c19cb78de

            SHA512

            ed2dea282f97d25171e0e95fe718103e04e37f13a1edf79373af204ac344cdb9a0fca34d82e45d3475a9845ee92644a99a1c2733f8858fe384e3b6958331f287

            Download Submit

          • memory/2064-23-0x000001AB1D840000-0x000001AB1D860000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2064-29-0x000001AB1DC00000-0x000001AB1DC20000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2064-26-0x000001AB1D800000-0x000001AB1D820000-memory.dmp

            Filesize

            128KB

            Download

          • memory/2116-1-0x00007FF997820000-0x00007FF9982E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2116-4-0x00007FF997820000-0x00007FF9982E1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2116-0-0x000001FA85DA0000-0x000001FA85DC8000-memory.dmp

            Filesize

            160KB

            Download

          • memory/3276-105-0x000002494BBB0000-0x000002494BBD0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3276-108-0x000002494BB70000-0x000002494BB90000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3276-111-0x000002494C010000-0x000002494C030000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3608-127-0x00000234A9470000-0x00000234A9490000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3608-125-0x00000234A9060000-0x00000234A9080000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3608-121-0x00000234A90A0000-0x00000234A90C0000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4288-7-0x0000000005A60000-0x0000000005AFC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4288-8-0x0000000005C70000-0x0000000005C80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4288-2-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4288-136-0x0000000005C70000-0x0000000005C80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4288-6-0x00000000059C0000-0x0000000005A52000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4288-135-0x0000000074EA0000-0x0000000075650000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4288-13-0x0000000006BF0000-0x0000000006C40000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4288-10-0x00000000061F0000-0x0000000006256000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4288-5-0x0000000074EA0000-0x0000000075650000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4288-9-0x00000000063F0000-0x0000000006994000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4836-17-0x0000000002A80000-0x0000000002A81000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4868-90-0x000002251CC20000-0x000002251CC40000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4868-88-0x000002251C820000-0x000002251C840000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4868-84-0x000002251C860000-0x000002251C880000-memory.dmp

            Filesize

            128KB

            Download

          • memory/5076-51-0x000002F422140000-0x000002F422160000-memory.dmp

            Filesize

            128KB

            Download

          • memory/5076-55-0x000002F422740000-0x000002F422760000-memory.dmp

            Filesize

            128KB

            Download

          • memory/5076-53-0x000002F422100000-0x000002F422120000-memory.dmp

            Filesize

            128KB

            Download