Overview

overview

10

Static

static

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2024 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    158KB

  • MD5

    af3110c5a76b0417ccc3abb03304c739

  • SHA1

    502ed23efa3bdc400d38c4bc1b1a823087b463a4

  • SHA256

    13331184c24e8d70fedbaaa6b78f186f5205dc7be568b22dc0f802de74cb0749

  • SHA512

    8ba8f64f0681c721fa3540d68308ab1d0dc8e5e276f274b02c7833e4a91e0aea8507e3f35b57cc8093c35ae318652a2a64380fac8e0355afc3d44286c57f43e7

  • SSDEEP

    3072:5bzwH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP1OO8Y:5bzwe0ODhTEPgnjuIJzo+PPcfP1B8

Score
10/10
arrowratclientcredential_accessdiscoverypersistenceratstealer

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

and-statements.gl.at.ply.gg:43442

Mutex

gvwEQrvlK

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 23 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4160
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client and-statements.gl.at.ply.gg 43442 gvwEQrvlK
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2988
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1228
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133669792771853295.txt
    Filesize

    74KB

    MD5

    e1da7f40d360aaf3480e065ed81f2e5f

    SHA1

    4a8babe62d8f9eb46ffcfbd537ba081edda05591

    SHA256

    a49eb596a36e7fc5f2819238596d8ef9e2e99346962532cf5db6f86c16f60611

    SHA512

    437fac737ed293ce401629eabb938336716dbb1818ecf92b8c8cfa076396ae3b8b33b551dce82fd164e349ea1c484abb42c94bb6f1b8f50448115600f45f4963

    Download Submit

  • C:\Users\Admin\AppData\Roaming\temp0923
    Filesize

    10B

    MD5

    82c8be87d88e7d1ce57025d03b210d8e

    SHA1

    20c356eacf2c03c0a254c83d130c7e12d689f7c9

    SHA256

    7e26471598288821940284c3a32dc53a0b487c73f4bfa76938f52d495d88bcaf

    SHA512

    27930195026f54f68a2a8a251a26d045106a3e9d8975670c9b8a354c9e4dd8d75fa7e269550d71b8ac5e702b23b31c47e72dee50e2774a2382f890cbe6abc77d

    Download Submit

  • memory/2440-0-0x000002509B860000-0x000002509B88E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2440-1-0x00007FFC57DE3000-0x00007FFC57DE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2440-224-0x00007FFC57DE0000-0x00007FFC588A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2440-3-0x00007FFC57DE0000-0x00007FFC588A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2988-10-0x0000000006440000-0x0000000006490000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2988-7-0x0000000005B80000-0x0000000005BE6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2988-6-0x0000000005C40000-0x00000000061E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2988-5-0x00000000053B0000-0x000000000544C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2988-4-0x00000000052F0000-0x0000000005382000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2988-2-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4160-16-0x0000000002990000-0x0000000002991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4220-23-0x00000211A0ED0000-0x00000211A0EF0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4220-53-0x00000211A0E90000-0x00000211A0EB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4220-54-0x00000211A12A0000-0x00000211A12C0000-memory.dmp

    Filesize

    128KB

    Download