Analysis

  • max time kernel
    127s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 11:18

General

  • Target

    Client.exe

  • Size

    158KB

  • MD5

    ed0eb58e701a62ef732db4bb2223565e

  • SHA1

    882f556e08047535c88f33eb7a53652134d1081f

  • SHA256

    01b5d985ba53c1d789b144694e179d04c8c0ff95e88659ce9e8b9b6e77f357ff

  • SHA512

    f7395647176b2a3ff456eda2924bb2fa3fe507bacf93933bfb0588c03a7a87ab8b0339ca2f8b258a9acb7b5d68cd8aae948382251ea274e0dd8d81360890ced2

  • SSDEEP

    3072:wbziH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPYdO8Y:wbzie0ODhTEPgnjuIJzo+PPcfPYQ8

Malware Config

Extracted

Family

arrowrat

Botnet

Client1

C2

and-statements.gl.at.ply.gg:43442

Mutex

JeaMEllZK

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\system32\ctfmon.exe
        ctfmon.exe
        3⤵
          PID:2916
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
        2⤵
          PID:2672
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
          2⤵
            PID:2688
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
            2⤵
              PID:2972
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
              2⤵
                PID:2788
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
                2⤵
                  PID:2696
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
                  2⤵
                    PID:2568
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
                    2⤵
                      PID:2852
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
                      2⤵
                        PID:1168
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
                        2⤵
                          PID:2680
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK
                          2⤵
                            PID:2776
                          • C:\Windows\System32\ComputerDefaults.exe
                            "C:\Windows\System32\ComputerDefaults.exe"
                            2⤵
                              PID:2700

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/2756-9-0x00000000029C0000-0x00000000029D0000-memory.dmp
                            Filesize

                            64KB

                          • memory/2764-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp
                            Filesize

                            4KB

                          • memory/2764-1-0x0000000000CD0000-0x0000000000CFE000-memory.dmp
                            Filesize

                            184KB

                          • memory/2764-3-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp
                            Filesize

                            9.9MB

                          • memory/2764-4-0x000007FEF5523000-0x000007FEF5524000-memory.dmp
                            Filesize

                            4KB

                          • memory/2764-5-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp
                            Filesize

                            9.9MB