Overview

overview

10

Static

static

10

pandora.exe

windows7-x64

10

pandora.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pandora.exe

  • Size

    158KB

  • MD5

    990b4366c8214281b19989fff2beebb7

  • SHA1

    56814a2602db00e25bbb2c07aaf8ebffce00f6ef

  • SHA256

    79cde129a3ca0865d953d1e1e664497100c5d185f14ba49e6aa261f6f0282132

  • SHA512

    d6c461aec2e0becbaf76c8e6ebc9ed249c26c0a203af4445c5af999724dffa4653c4f3b6e4b597b99dd66943e7b36c8e9f613825183926556f456a26d22e6681

  • SSDEEP

    3072:wbzoH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPodO8Y:wbzoe0ODhTEPgnjuIJzo+PPcfPoQ8

Score
10/10
arrowrathvncpersistenceprivilege_escalationrat

Malware Config

Extracted

Family

arrowrat

Botnet

HVNC

C2

vshostupdater.duckdns.org:34357

Mutex

TnXRoYazW

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Arrowrat family
    arrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\pandora.exe
    "C:\Users\Admin\AppData\Local\Temp\pandora.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\system32\ctfmon.exe
        ctfmon.exe
        3⤵
          PID:2744
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
        2⤵
          PID:2768
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
          2⤵
            PID:2700
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
            2⤵
              PID:2548
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
              2⤵
                PID:2212
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                2⤵
                  PID:2880
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                  2⤵
                    PID:2704
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                    2⤵
                      PID:2576
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                      2⤵
                        PID:2668
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                        2⤵
                          PID:2800
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                          2⤵
                            PID:2852
                          • C:\Windows\System32\ComputerDefaults.exe
                            "C:\Windows\System32\ComputerDefaults.exe"
                            2⤵
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of WriteProcessMemory
                            PID:2780
                            • C:\Windows\System32\ie4uinit.exe
                              "C:\Windows\System32\ie4uinit.exe" -reinstall
                              3⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              • Modifies Internet Explorer settings
                              • Modifies registry class
                              PID:2836
                            • C:\Windows\system32\unregmp2.exe
                              C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
                              3⤵
                              • Modifies Internet Explorer settings
                              • Modifies registry class
                              PID:1600

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
                          Filesize

                          1KB

                          MD5

                          edd62b5f24eaf476a537dfa7544c4931

                          SHA1

                          57005485398d6d13d744965ff7d2fd9a17b42735

                          SHA256

                          d51b8980a455c5a3eba911c4a22afa3aa11af25885072993bc32f34c8b54bb6d

                          SHA512

                          c7fde8ff9068765b7e351c027b484e14db11f84912db98df031f7b5321670316b2949917d8d1c91a4cead0cb1b3400cc4eadeed9c935d48eb4ac847ecf874fd4

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
                          Filesize

                          1KB

                          MD5

                          fe6dc32728f676f4c71d45f5eceb4953

                          SHA1

                          b71c45edb7e827385b6d4a327b1300d61149521f

                          SHA256

                          3e8d4d535c20fa7032aa7c1716782818854b2a0ecb4108e8676315b71211b3c9

                          SHA512

                          efacf05e06faecc9d8ef0217c569c019c2cb4ab4ee2e2aca1310aa1a6c2f07b242f9f5c107dec6eb7cf5e88e6793c67485569cc07558bfec6a6465395d94f2e7

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
                          Filesize

                          1KB

                          MD5

                          f0554f83ff401d1befee03dcf538bb0a

                          SHA1

                          c85ed89589dc54ced7cf5b015d818273875720c1

                          SHA256

                          880bea3ddc4ece2139f407a4f53ac286797f6d3087e80caf9f5e30243eae04ee

                          SHA512

                          8735752b15a706ee5b7af02cfba895219da8552359c0946cf92e2e1feff844bba36cba427ca7d2d952edc0fa5344f22f33fe5725d648ff7a8b1c5fd8d4f28138

                          Download Submit

                        • memory/2956-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2956-1-0x0000000000B10000-0x0000000000B3E000-memory.dmp

                          Filesize

                          184KB

                          Download