Overview

overview

10

Static

static

10

bSU4.exe

windows7-x64

10

bSU4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2024 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bSU4.exe

  • Size

    138KB

  • MD5

    4b1ce3fe71b14c655755251616d61766

  • SHA1

    9941994468ad58962f5063ae0d1998790b577744

  • SHA256

    63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8

  • SHA512

    dd87f5d2bb7a4a903981de9156e6249c514b138747300ceb84bf0e230c38010a34f51df17717b73c5e9dece2524c61ffcbe4015ec0b59e85c477aeb92d9530ae

  • SSDEEP

    3072:qbvF5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YM:qbvzS7BqjjYHdrqkL/

Score
10/10
arrowratsub70fpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

SUB70F

C2

instruments-george.gl.at.ply.gg:12129

Mutex

58PJXL

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 48 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bSU4.exe
    "C:\Users\Admin\AppData\Local\Temp\bSU4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1836
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
      2⤵
        PID:1628
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3748
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4560
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3584
    • C:\Windows\system32\werfault.exe
      werfault.exe /hc /shared Global\18f6a6e79a514e6a8f95dfe31b5eca80 /t 4672 /p 3584
      1⤵
        PID:3084

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133496827242105276.txt
        Filesize

        74KB

        MD5

        c09e63e4b960a163934b3c29f3bd2cc9

        SHA1

        d3a43b35c14ae2e353a1a15c518ab2595f6a0399

        SHA256

        308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

        SHA512

        5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2QRDRLTB\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        04549d11a7b61537f1764f3bc366553b

        SHA1

        314c45d21da6573a30d864045fca8a51a5a32726

        SHA256

        1e2bc8a47c4283e3913c3b1f8f467dd891872ad6d757114a4d45876b6e790595

        SHA512

        69835e4409542b68cfc213cb157ff90584a6e4fe411ab968c06c21fe3e8c13181ace59274642e184d44d8e983a44f96d47b91f736577265d4e9de20dcaaa1b32

        Download Submit

      • memory/1628-6-0x00000000056F0000-0x0000000005782000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1628-2-0x0000000000400000-0x0000000000416000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1628-5-0x00000000746C0000-0x0000000074E70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1628-64-0x0000000005670000-0x0000000005680000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1628-7-0x0000000005830000-0x00000000058CC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1628-8-0x0000000005670000-0x0000000005680000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1628-9-0x0000000006030000-0x00000000065D4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1628-10-0x0000000005F70000-0x0000000005FD6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1628-13-0x0000000006830000-0x0000000006880000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1628-63-0x00000000746C0000-0x0000000074E70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1836-16-0x0000000002E10000-0x0000000002E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2204-4-0x00007FFD82D20000-0x00007FFD837E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2204-1-0x00007FFD82D20000-0x00007FFD837E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2204-0-0x000001F315BC0000-0x000001F315BE8000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3584-54-0x00000248AF290000-0x00000248AF2B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3584-57-0x00000248AF250000-0x00000248AF270000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3584-60-0x00000248AF860000-0x00000248AF880000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4560-23-0x0000025EFABA0000-0x0000025EFABC0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4560-25-0x0000025EFAB60000-0x0000025EFAB80000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4560-27-0x0000025EFAF70000-0x0000025EFAF90000-memory.dmp

        Filesize

        128KB

        Download