Overview

overview

10

Static

static

10

6aad7dead2...90.exe

windows7-x64

10

6aad7dead2...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6aad7dead2ff9aa2996314a6c73f3043513ed155ed36507411efb7b38343c090.exe

  • Size

    138KB

  • MD5

    348c70b182eb53d74fe080f57c7265bc

  • SHA1

    42e3e7c848fc8774dd7bd6be1e3bdfe98fc86e06

  • SHA256

    6aad7dead2ff9aa2996314a6c73f3043513ed155ed36507411efb7b38343c090

  • SHA512

    3b2c3f04443e76371fdd03aae0b4c846bcf585ad69d235ff595612f24a96607b7c44b5182a66c87b589044a5d3b2b77839c384b5ccc7fc65b8b10c40982ada12

  • SSDEEP

    3072:Jbvs5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yl:JbvES7BqjjYHdrqkL/

Score
10/10
arrowratbrasildiscoverypersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

BRASIL

C2

chromedata.accesscam.org:1338

Mutex

imfoNeSSi

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Arrowrat family
    arrowrat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aad7dead2ff9aa2996314a6c73f3043513ed155ed36507411efb7b38343c090.exe
    "C:\Users\Admin\AppData\Local\Temp\6aad7dead2ff9aa2996314a6c73f3043513ed155ed36507411efb7b38343c090.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3968
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3552
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1032
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_services_msc
    Filesize

    36KB

    MD5

    5e2da008f38c7ad813d9fe8e669dddd6

    SHA1

    3f4ed852167cfb251cce13be4906a0cbea58f021

    SHA256

    0cf904a532ac487f6b4c080fd01406529ad26ae559128b0aff170f389c278c28

    SHA512

    8d295af13fa38384923e0db043ef7196ae3cdddc9dc1e765217494461c6c6f24704eb984985c45159cae06e81ca857c4f406b1ec80bc9c8fbccad535a1f77d72

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133750360397126987.txt
    Filesize

    75KB

    MD5

    a315b9920dc5269f2d2659f7509e3da3

    SHA1

    653deef95a660d58afd850202800863353a5a565

    SHA256

    df5de845d9126f302b6beebd1828f37e99c2d239de3a9b0dcae24ce6455f2d12

    SHA512

    626e558dafe1b041f00b0bfb0f56bb67c677b28f6bf1404d9a8c2adba2ba303dc8d179aecde8f9fff139b32d18811d5a067055d4d280c9018f6b606452915561

    Download Submit

  • memory/2788-1-0x0000012DFA6D0000-0x0000012DFA6F8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2788-0-0x00007FFB25743000-0x00007FFB25745000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3412-16-0x000001ABC2F40000-0x000001ABC3040000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3412-24-0x000001ABC3D10000-0x000001ABC3D30000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3412-37-0x000001ABC4360000-0x000001ABC4380000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3412-15-0x000001ABC2F40000-0x000001ABC3040000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3412-20-0x000001ABC3D50000-0x000001ABC3D70000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3412-17-0x000001ABC2F40000-0x000001ABC3040000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3552-4-0x0000000004A90000-0x0000000004B22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3552-10-0x0000000005AD0000-0x0000000005B20000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3552-7-0x0000000005210000-0x0000000005276000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3552-6-0x00000000052D0000-0x0000000005874000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3552-5-0x0000000004B30000-0x0000000004BCC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3552-2-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3968-13-0x0000000003790000-0x0000000003791000-memory.dmp

    Filesize

    4KB

    Download