Overview

overview

10

Static

static

10

Client.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    209s
  • max time network
    211s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-08-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    158KB

  • MD5

    e3341ad596ed6da038c798b1fee80556

  • SHA1

    35605ab4ac5b1dc51d833dc7175d6d0799868989

  • SHA256

    f2da736864510afba0fde1579316395f4566408d14f7aaac6776feee79cbf589

  • SHA512

    4a56f3af287723358a402024fbcfee23a6160e470c853c93473a7343687d19698cfb87d600b68209d58a1329413cd2b2200e571470b130ce832ab69dae80530e

  • SSDEEP

    3072:hbzIH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPtqO8Y:hbzIe0ODhTEPgnjuIJzo+PPcfPtV8

Score
10/10
arrowratclientcredential_accessdiscoverypersistenceratstealer

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

147.185.221.21:35374

Mutex

SROLcnhMO

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 54 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2148
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 147.185.221.21 35374 SROLcnhMO
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2960
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1624
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4508
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1060
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    14KB

    MD5

    a895cbd841fcea76628c87f6e7c3d8eb

    SHA1

    d755a7ce937d9ec95650bea30ec0c81da0bb2ad2

    SHA256

    34c42b1ffae6b2f85282488e80a887aa987fde5a8c8d8e55b370eb35c1d490b7

    SHA512

    85f2a60930f1a9cd926cbfae9885c0c4dbd96f8cb18cd19a109d181adb098b2b2ee5ba6e0745fdc2120585bb28e07f4560780f9fb4bda804ab80c54dbaa6075b

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\LocalState\start.bin
    Filesize

    4KB

    MD5

    91c019fce896954e37510878e0c5648f

    SHA1

    a776d5878105aca50168f3fe30fbf4cf134c199c

    SHA256

    7d24d2eff46dbcd4f0b7dacb3ba4b6b2062d911bc787abb10777d9c388fd0b9e

    SHA512

    ab4c48a8459e509ccf49e0da5a2c237b21849858c7b063a7a9f1c9844ee4993f6e332a018d7137c2a5b12c22122250ba047f49d4fa4d94fad4b4bbedded85ae3

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P3RJMKM0\www.bing[1].xml
    Filesize

    17KB

    MD5

    4678fe4495395878293f6c6f9cb0045e

    SHA1

    86ac9bf5504aa9211bbc72d63cf56b5b83531185

    SHA256

    6a14929ce01adf22d059eb767b4e214aa4f264e588cdd751c278e754e8e97b66

    SHA512

    2e2ff66273e35b974b63e3b5f380d65ae6bec56fdba15b5d0ab116d088be60e70587e29613cc23eb2ffb5ad1c41833a4d408695e95c60e6063977196193bbb6d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\temp0923
    Filesize

    10B

    MD5

    1dc5e45a37081b04cadfc0f2c8304258

    SHA1

    70479e9da05847787ac193dae0023751a54657e0

    SHA256

    3a692ced781f5de55c7a2e5e4f83c75e2b4e4bcc903e4179f9f0b323a4e4156a

    SHA512

    d7e03770163a841eeec03e64562c1e59f791f401a073f7fcbbd3d0362e42f577d6ccf70e7466795a1edc953a31d7c5246cb9789e0d3445adc222fc0f3669d780

    Download Submit

  • memory/2112-0-0x00000207870F0000-0x000002078711E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2112-1-0x00007FFA1A573000-0x00007FFA1A575000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2960-10-0x0000000005860000-0x00000000058FC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2960-15-0x00000000060A0000-0x00000000060F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2960-12-0x0000000005FE0000-0x0000000006046000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2960-11-0x0000000006120000-0x00000000066C6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2960-9-0x0000000005720000-0x00000000057B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2960-2-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4564-49-0x0000024CBE920000-0x0000024CBEA20000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4564-54-0x0000024CAE530000-0x0000024CAE550000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4564-62-0x0000024CBFF10000-0x0000024CC0010000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4564-98-0x0000024CC0540000-0x0000024CC0560000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4564-97-0x0000024CBEAE0000-0x0000024CBEB00000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4564-118-0x0000024CC0500000-0x0000024CC0520000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4564-178-0x0000024CC3AC0000-0x0000024CC3BC0000-memory.dmp

    Filesize

    1024KB

    Download