Analysis

  • max time kernel
    128s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-11-2024 00:06

General

  • Target

    6aad7dead2ff9aa2996314a6c73f3043513ed155ed36507411efb7b38343c090.exe

  • Size

    138KB

  • MD5

    348c70b182eb53d74fe080f57c7265bc

  • SHA1

    42e3e7c848fc8774dd7bd6be1e3bdfe98fc86e06

  • SHA256

    6aad7dead2ff9aa2996314a6c73f3043513ed155ed36507411efb7b38343c090

  • SHA512

    3b2c3f04443e76371fdd03aae0b4c846bcf585ad69d235ff595612f24a96607b7c44b5182a66c87b589044a5d3b2b77839c384b5ccc7fc65b8b10c40982ada12

  • SSDEEP

    3072:Jbvs5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yl:JbvES7BqjjYHdrqkL/

Malware Config

Extracted

Family

arrowrat

Botnet

BRASIL

C2

chromedata.accesscam.org:1338

Mutex

imfoNeSSi

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

  • Arrowrat family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aad7dead2ff9aa2996314a6c73f3043513ed155ed36507411efb7b38343c090.exe
    "C:\Users\Admin\AppData\Local\Temp\6aad7dead2ff9aa2996314a6c73f3043513ed155ed36507411efb7b38343c090.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\system32\ctfmon.exe
        ctfmon.exe
        3⤵
          PID:1068
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
        2⤵
          PID:2088
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
          2⤵
            PID:332
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
            2⤵
              PID:2704
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
              2⤵
                PID:2456
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
                2⤵
                  PID:2740
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
                  2⤵
                    PID:2744
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
                    2⤵
                      PID:2788
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
                      2⤵
                        PID:2804
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
                        2⤵
                          PID:2876
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" BRASIL chromedata.accesscam.org 1338 imfoNeSSi
                          2⤵
                            PID:3012

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/2056-5-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

                          Filesize

                          64KB

                        • memory/2548-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

                          Filesize

                          4KB

                        • memory/2548-1-0x0000000001270000-0x0000000001298000-memory.dmp

                          Filesize

                          160KB