Overview

overview

10

Static

static

10

63ab8bad7e...c8.exe

windows7-x64

10

63ab8bad7e...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2024 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8.exe

  • Size

    138KB

  • MD5

    4b1ce3fe71b14c655755251616d61766

  • SHA1

    9941994468ad58962f5063ae0d1998790b577744

  • SHA256

    63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8

  • SHA512

    dd87f5d2bb7a4a903981de9156e6249c514b138747300ceb84bf0e230c38010a34f51df17717b73c5e9dece2524c61ffcbe4015ec0b59e85c477aeb92d9530ae

  • SSDEEP

    3072:qbvF5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YM:qbvzS7BqjjYHdrqkL/

Score
10/10
arrowratsub70fpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

SUB70F

C2

instruments-george.gl.at.ply.gg:12129

Mutex

58PJXL

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 48 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8.exe
    "C:\Users\Admin\AppData\Local\Temp\63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4664
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
      2⤵
        PID:3060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
        2⤵
          PID:1480
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
          2⤵
            PID:624
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4860
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2252
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4088
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4516
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:1564
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:3588
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:4300

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
              Filesize

              2KB

              MD5

              7dca9ac0d207f891341d0aeec37340de

              SHA1

              51fbd5fa66acaf13cd8a89242722ecf6c4aecbf2

              SHA256

              d8f96586d6f9de532674cfd82d7d81d3e87843ade69b56381778ca5cfda8f04b

              SHA512

              948eeda3fadbcbbeaea938910e1ac02d8a9ac3c50fca7df8a153d1f163fb67de4c6c888b66b27a451e90ec0919568883ecfc33682d3be5e67f429d284c919a02

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
              Filesize

              36KB

              MD5

              0e2a09c8b94747fa78ec836b5711c0c0

              SHA1

              92495421ad887f27f53784c470884802797025ad

              SHA256

              0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

              SHA512

              61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
              Filesize

              36KB

              MD5

              fb5f8866e1f4c9c1c7f4d377934ff4b2

              SHA1

              d0a329e387fb7bcba205364938417a67dbb4118a

              SHA256

              1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

              SHA512

              0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133498424960203789.txt
              Filesize

              74KB

              MD5

              3f40d58aecd65a337082df85fadace28

              SHA1

              ebea42cb95680b5222615005a0df07b47acc764a

              SHA256

              e7d744912df0891c86693a9e5f0767a71f12616bd35c5e1a857bbabcd694e432

              SHA512

              b885265e7d98fe1dc92fe32e1e681f39a6f6ba8119a651b3307875095e89b17bc89912b6197ebc1f93dbd9c5dcbea2769d0b39855ba799d5bbf9e0ef24a8638a

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BHN90SAO\microsoft.windows[1].xml
              Filesize

              97B

              MD5

              a49784c6007e88174d13fd2a1d1603c8

              SHA1

              96351722a846ad8a396b7cd3285ac30a8edf3768

              SHA256

              bf97a280596c60fa7130725b7426e7cd5ccfb759c909b5ef0b1575df2654ca91

              SHA512

              b0c5f6550c560e3bee33be9261bee95a006cd63a57d56b3a4b6c3c8f9ca2c6f222bfd2e8933e663f4b644457b48eb638160c8b9a6814b47a3fd4760f74f825ec

              Download Submit

            • memory/624-7-0x00000000051D0000-0x000000000526C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/624-6-0x0000000005070000-0x0000000005102000-memory.dmp

              Filesize

              584KB

              Download

            • memory/624-8-0x00000000051C0000-0x00000000051D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/624-9-0x0000000005A00000-0x0000000005FA4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/624-10-0x00000000058C0000-0x0000000005926000-memory.dmp

              Filesize

              408KB

              Download

            • memory/624-13-0x00000000061B0000-0x0000000006200000-memory.dmp

              Filesize

              320KB

              Download

            • memory/624-135-0x00000000051C0000-0x00000000051D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/624-134-0x0000000074A20000-0x00000000751D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/624-5-0x0000000074A20000-0x00000000751D0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/624-2-0x0000000000400000-0x0000000000416000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1564-101-0x00000241AB570000-0x00000241AB590000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1564-105-0x00000241AB940000-0x00000241AB960000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1564-103-0x00000241AB530000-0x00000241AB550000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2180-0-0x0000022294FA0000-0x0000022294FC8000-memory.dmp

              Filesize

              160KB

              Download

            • memory/2180-1-0x00007FFC3ACC0000-0x00007FFC3B781000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2180-4-0x00007FFC3ACC0000-0x00007FFC3B781000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2252-27-0x0000021988F50000-0x0000021988F70000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2252-23-0x0000021988B80000-0x0000021988BA0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2252-25-0x0000021988B40000-0x0000021988B60000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3588-126-0x0000013477D20000-0x0000013477D40000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3588-123-0x0000013477D60000-0x0000013477D80000-memory.dmp

              Filesize

              128KB

              Download

            • memory/3588-128-0x0000013478120000-0x0000013478140000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4088-48-0x0000028B79570000-0x0000028B79590000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4088-46-0x0000028B795B0000-0x0000028B795D0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4088-50-0x0000028B79980000-0x0000028B799A0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4516-65-0x000002CF3F960000-0x000002CF3F980000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4516-69-0x000002CF3FD30000-0x000002CF3FD50000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4516-67-0x000002CF3F920000-0x000002CF3F940000-memory.dmp

              Filesize

              128KB

              Download

            • memory/4664-17-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

              Filesize

              4KB

              Download