Overview

overview

10

Static

static

10

63ab8bad7e...c8.exe

windows7-x64

10

63ab8bad7e...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8.exe

  • Size

    138KB

  • MD5

    4b1ce3fe71b14c655755251616d61766

  • SHA1

    9941994468ad58962f5063ae0d1998790b577744

  • SHA256

    63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8

  • SHA512

    dd87f5d2bb7a4a903981de9156e6249c514b138747300ceb84bf0e230c38010a34f51df17717b73c5e9dece2524c61ffcbe4015ec0b59e85c477aeb92d9530ae

  • SSDEEP

    3072:qbvF5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YM:qbvzS7BqjjYHdrqkL/

Score
10/10
arrowratsub70fpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

SUB70F

C2

instruments-george.gl.at.ply.gg:12129

Mutex

58PJXL

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8.exe
    "C:\Users\Admin\AppData\Local\Temp\63ab8bad7e72c1c4044743b0de2efd791a4f9bf12e85b2bd973b7309d50eafc8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1504
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" SUB70F instruments-george.gl.at.ply.gg 12129 58PJXL
      2⤵
        PID:3128
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3176
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2596
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3200
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2028
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3868

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133578391673676025.txt
      Filesize

      75KB

      MD5

      a1c6c05ee01aae7e68b4170031f2ce32

      SHA1

      e504078ca444efef715010fc2a1d2bb24f23ed98

      SHA256

      c5cfe868940725dd9797186a8c601acf98333ebb09cebf537a4e0d7df2f486a9

      SHA512

      6c80c4e8c7f3b0f95020bd448e8c8defa8f0ea4f6e193c5c75daf02b9d68d2da5cc95582b020b2c3ffb5a9bfb0b0d30d04d7213a43782625bd09cdc0267b141b

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HXTVQGKM\microsoft.windows[1].xml
      Filesize

      96B

      MD5

      5d26d9282453709bb4b92b0583342fd8

      SHA1

      8234c2a047cb4d78cb8b47067fd1b11888df1497

      SHA256

      5ebc9ae28489a17a5ed56d73764ffe5c2b085c30736ac46e30f7a256e78b2d1d

      SHA512

      c44746b66392f0773090ee792e56b72bd1374fdaeb046cf0e7b3f05cd10ac2982ed16f66257d0f57366ad72fb66a5efb3c283965e958a9b33d9222f1dd28ef70

      Download Submit

    • memory/1064-1-0x00007FFABD3D0000-0x00007FFABDE91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1064-4-0x00007FFABD3D0000-0x00007FFABDE91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1064-0-0x00000197FC230000-0x00000197FC258000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1504-17-0x0000000002A80000-0x0000000002A81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2028-81-0x0000018011500000-0x0000018011520000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2028-77-0x0000018010EA0000-0x0000018010EC0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2028-74-0x0000018010EE0000-0x0000018010F00000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2596-23-0x000001C04DB60000-0x000001C04DB80000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2596-25-0x000001C04DB20000-0x000001C04DB40000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2596-27-0x000001C04DF30000-0x000001C04DF50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3128-8-0x0000000005240000-0x0000000005250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3128-6-0x0000000005270000-0x0000000005302000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3128-10-0x0000000006090000-0x00000000060F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3128-9-0x0000000005AE0000-0x0000000006084000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3128-7-0x0000000005310000-0x00000000053AC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3128-2-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3128-5-0x0000000075050000-0x0000000075800000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3128-13-0x0000000006350000-0x00000000063A0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3128-65-0x0000000075050000-0x0000000075800000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3128-66-0x0000000005240000-0x0000000005250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3200-52-0x000002951C440000-0x000002951C460000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3200-51-0x000002951C030000-0x000002951C050000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3200-49-0x000002951C070000-0x000002951C090000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3868-90-0x00000196D9CE0000-0x00000196D9D00000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3868-94-0x00000196D9CA0000-0x00000196D9CC0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3868-96-0x00000196DA2C0000-0x00000196DA2E0000-memory.dmp

      Filesize

      128KB

      Download