Overview

overview

10

Static

static

10

pandora.exe

windows7-x64

10

pandora.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2025, 11:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pandora.exe

  • Size

    158KB

  • MD5

    990b4366c8214281b19989fff2beebb7

  • SHA1

    56814a2602db00e25bbb2c07aaf8ebffce00f6ef

  • SHA256

    79cde129a3ca0865d953d1e1e664497100c5d185f14ba49e6aa261f6f0282132

  • SHA512

    d6c461aec2e0becbaf76c8e6ebc9ed249c26c0a203af4445c5af999724dffa4653c4f3b6e4b597b99dd66943e7b36c8e9f613825183926556f456a26d22e6681

  • SSDEEP

    3072:wbzoH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPodO8Y:wbzoe0ODhTEPgnjuIJzo+PPcfPoQ8

Score
10/10
arrowrathvncpersistenceprivilege_escalationrat

Malware Config

Extracted

Family

arrowrat

Botnet

HVNC

C2

vshostupdater.duckdns.org:34357

Mutex

TnXRoYazW

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Arrowrat family
    arrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\pandora.exe
    "C:\Users\Admin\AppData\Local\Temp\pandora.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\system32\ctfmon.exe
        ctfmon.exe
        3⤵
          PID:2744
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
        2⤵
          PID:2768
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
          2⤵
            PID:2700
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
            2⤵
              PID:2548
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
              2⤵
                PID:2212
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                2⤵
                  PID:2880
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                  2⤵
                    PID:2704
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                    2⤵
                      PID:2576
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                      2⤵
                        PID:2668
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                        2⤵
                          PID:2800
                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HVNC vshostupdater.duckdns.org 34357 TnXRoYazW
                          2⤵
                            PID:2852
                          • C:\Windows\System32\ComputerDefaults.exe
                            "C:\Windows\System32\ComputerDefaults.exe"
                            2⤵
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of WriteProcessMemory
                            PID:2780
                            • C:\Windows\System32\ie4uinit.exe
                              "C:\Windows\System32\ie4uinit.exe" -reinstall
                              3⤵
                              • Boot or Logon Autostart Execution: Active Setup
                              • Modifies Internet Explorer settings
                              • Modifies registry class
                              PID:2836
                            • C:\Windows\system32\unregmp2.exe
                              C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
                              3⤵
                              • Modifies Internet Explorer settings
                              • Modifies registry class
                              PID:1600

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
                          Filesize

                          1KB

                          MD5

                          edd62b5f24eaf476a537dfa7544c4931

                          SHA1

                          57005485398d6d13d744965ff7d2fd9a17b42735

                          SHA256

                          d51b8980a455c5a3eba911c4a22afa3aa11af25885072993bc32f34c8b54bb6d

                          SHA512

                          c7fde8ff9068765b7e351c027b484e14db11f84912db98df031f7b5321670316b2949917d8d1c91a4cead0cb1b3400cc4eadeed9c935d48eb4ac847ecf874fd4

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
                          Filesize

                          1KB

                          MD5

                          fe6dc32728f676f4c71d45f5eceb4953

                          SHA1

                          b71c45edb7e827385b6d4a327b1300d61149521f

                          SHA256

                          3e8d4d535c20fa7032aa7c1716782818854b2a0ecb4108e8676315b71211b3c9

                          SHA512

                          efacf05e06faecc9d8ef0217c569c019c2cb4ab4ee2e2aca1310aa1a6c2f07b242f9f5c107dec6eb7cf5e88e6793c67485569cc07558bfec6a6465395d94f2e7

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
                          Filesize

                          1KB

                          MD5

                          f0554f83ff401d1befee03dcf538bb0a

                          SHA1

                          c85ed89589dc54ced7cf5b015d818273875720c1

                          SHA256

                          880bea3ddc4ece2139f407a4f53ac286797f6d3087e80caf9f5e30243eae04ee

                          SHA512

                          8735752b15a706ee5b7af02cfba895219da8552359c0946cf92e2e1feff844bba36cba427ca7d2d952edc0fa5344f22f33fe5725d648ff7a8b1c5fd8d4f28138

                          Download Submit

                        • memory/2956-0-0x000007FEF5633000-0x000007FEF5634000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2956-1-0x0000000000B10000-0x0000000000B3E000-memory.dmp

                          Filesize

                          184KB

                          Download

                        We care about your privacy.

                        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.