Overview

overview

10

Static

static

10

bSU4.exe

windows7-x64

10

bSU4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bSU4.exe

  • Size

    138KB

  • MD5

    4b1ce3fe71b14c655755251616d61766

  • SHA1

    9941994468ad58962f5063ae0d1998790b577744

  • SHA256

    63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8

  • SHA512

    dd87f5d2bb7a4a903981de9156e6249c514b138747300ceb84bf0e230c38010a34f51df17717b73c5e9dece2524c61ffcbe4015ec0b59e85c477aeb92d9530ae

  • SSDEEP

    3072:qbvF5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YM:qbvzS7BqjjYHdrqkL/

Score
10/10
arrowratsub70fpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

SUB70F

C2

instruments-george.gl.at.ply.gg:12129

Mutex

58PJXL

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bSU4.exe
    "C:\Users\Admin\AppData\Local\Temp\bSU4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4032
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
      2⤵
        PID:2132
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1508
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3396
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1252
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3768
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4968
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3768
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies registry class
        PID:2844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
        Filesize

        2KB

        MD5

        9c3633a908b01c8e3f02b06215cbb948

        SHA1

        33908447b3f0bfcdb8315fa871d045b80b28a7a8

        SHA256

        7fd4ba72217e8fa02f00cd8945defa8a60ee2e0265f776de63adf4b3b61660f4

        SHA512

        8e0fad36a281e9fe6c114697cd0065009f3aa3d2f1a65af96f4b320782363b2bb80bbc381bd223c4b13573b955e6266fdf0c50034e7c80f81d4780e7f14800e1

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
        Filesize

        36KB

        MD5

        0e2a09c8b94747fa78ec836b5711c0c0

        SHA1

        92495421ad887f27f53784c470884802797025ad

        SHA256

        0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

        SHA512

        61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
        Filesize

        36KB

        MD5

        fb5f8866e1f4c9c1c7f4d377934ff4b2

        SHA1

        d0a329e387fb7bcba205364938417a67dbb4118a

        SHA256

        1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

        SHA512

        0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133496826778125901.txt
        Filesize

        74KB

        MD5

        c09e63e4b960a163934b3c29f3bd2cc9

        SHA1

        d3a43b35c14ae2e353a1a15c518ab2595f6a0399

        SHA256

        308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

        SHA512

        5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml
        Filesize

        96B

        MD5

        2415f1b0b1e5150e9f1e871081fd1fad

        SHA1

        a79e4bfddc3daf75f059fda3547bd18282d993f7

        SHA256

        3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae

        SHA512

        5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

        Download Submit

      • memory/448-1-0x00007FFA64800000-0x00007FFA652C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/448-4-0x00007FFA64800000-0x00007FFA652C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/448-0-0x0000023F5F6F0000-0x0000023F5F718000-memory.dmp

        Filesize

        160KB

        Download

      • memory/1252-44-0x000001C4F0E40000-0x000001C4F0E60000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1252-48-0x000001C4F1200000-0x000001C4F1220000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1252-46-0x000001C4F0E00000-0x000001C4F0E20000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2132-9-0x0000000005D80000-0x0000000006324000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2132-7-0x0000000005540000-0x00000000055DC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2132-2-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2132-5-0x00000000745D0000-0x0000000074D80000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2132-134-0x00000000056C0000-0x00000000056D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-13-0x0000000006580000-0x00000000065D0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2132-10-0x0000000005CC0000-0x0000000005D26000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2132-8-0x00000000056C0000-0x00000000056D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2132-133-0x00000000745D0000-0x0000000074D80000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2132-6-0x00000000054A0000-0x0000000005532000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3396-27-0x000001CD03150000-0x000001CD03170000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3396-23-0x000001CD02B80000-0x000001CD02BA0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3396-25-0x000001CD02B40000-0x000001CD02B60000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3768-65-0x00000250056B0000-0x00000250056D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3768-124-0x0000024EDE520000-0x0000024EDE540000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3768-121-0x0000024EDE560000-0x0000024EDE580000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3768-126-0x0000024EDE930000-0x0000024EDE950000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3768-67-0x0000025005670000-0x0000025005690000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3768-69-0x0000025005C80000-0x0000025005CA0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4032-17-0x0000000002880000-0x0000000002881000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4968-105-0x0000028D3B8F0000-0x0000028D3B910000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4968-103-0x0000028D3B4E0000-0x0000028D3B500000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4968-101-0x0000028D3B520000-0x0000028D3B540000-memory.dmp

        Filesize

        128KB

        Download