Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

arpReport.exe

windows7-x64

10

arpReport.exe

windows10-2004-x64

10

arphadump.dll

windows7-x64

3

arphadump.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11/09/2024, 01:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    arpReport.exe

  • Size

    189KB

  • MD5

    e9d05f7176aab86c6754ba89cb06d768

  • SHA1

    f0e80278eab18ed61dcb473fb42419186fcc8b35

  • SHA256

    6840e6e2a2b4555db025c331b41d426387e8d6397fd5917fad29d3893fb1886f

  • SHA512

    100b1020ac2d67b10d5ff7f7b3423b0706fa0250c90dad9d0155064e52ab6bb2226e8cd9be4ea5e8eba91b91d5f399e82ec166fef0a9fef3cccc35963113fda1

  • SSDEEP

    3072:SJg3FNLpWK6weGrE8tU3xvz0tcK4hYanD9EvQiorztXkF6ODVgCl4LDVXcCSfHR9:SJgVV8K6VGrE8y3CtcKn6yv8zRkDVK5w

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 21 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Deletes itself 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\arpReport.exe
    "C:\Users\Admin\AppData\Local\Temp\arpReport.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1732
  • C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe
    "C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe" 100 1732
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2844
  • C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe
    "C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\Dism.exe
      C:\Windows\system32\Dism.exe 201 0
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\msdt.exe
        C:\Windows\system32\msdt.exe 209 2840
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:448
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x484
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:292

    Network

    • flag-us
      DNS
      mu.googletrait.com
      Dism.exe
      Remote address:
      8.8.8.8:53
      Request
      mu.googletrait.com
      IN A
      Response
      mu.googletrait.com
      IN A
      18.141.169.162
    • 18.141.169.162:80
      mu.googletrait.com
      Dism.exe
      152 B
       3
    • 18.141.169.162:443
      mu.googletrait.com
      Dism.exe
      152 B
       3
    • 18.141.169.162:53
      mu.googletrait.com
      Dism.exe
      152 B
       3
    • 18.141.169.162:8080
      mu.googletrait.com
      Dism.exe
      152 B
       3
    • 18.141.169.162:80
      mu.googletrait.com
      Dism.exe
      152 B
       3
    • 10.127.255.255:3128
      Dism.exe
      2.0kB
       14
    • 8.8.8.8:53
      mu.googletrait.com
      dns
      Dism.exe
      64 B
       80 B
       1
      1

      DNS Request

      mu.googletrait.com

      DNS Response

      18.141.169.162

    • 18.141.169.162:80
      mu.googletrait.com
      http
      Dism.exe
      1.2kB
       24
    • 18.141.169.162:443
      mu.googletrait.com
      https
      Dism.exe
      1.2kB
       24
    • 18.141.169.162:53
      mu.googletrait.com
      dns
      Dism.exe
      1.2kB
       24
    • 18.141.169.162:8080
      mu.googletrait.com
      Dism.exe
      1.2kB
       24

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\DIFxAPI.bpl
      Filesize

      133KB

      MD5

      6d7a48328af8ac53d0331bca03f6e322

      SHA1

      41b14093804e44dc1865a595d1a8e63c918c0a29

      SHA256

      86f32ad5c7048cd156d345bc86d4afc73a7be036a5b11aa08ac5b037249ba73e

      SHA512

      207c525e14e18eb147f92bcc65186131e24168ff877c09eae3bd234c37401776a483bf56f105060c02c88d37935e23df8e759f4979dc7cdc71bad08bab6c3715

      Download Submit

    • C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arpReport.exe
      Filesize

      189KB

      MD5

      e9d05f7176aab86c6754ba89cb06d768

      SHA1

      f0e80278eab18ed61dcb473fb42419186fcc8b35

      SHA256

      6840e6e2a2b4555db025c331b41d426387e8d6397fd5917fad29d3893fb1886f

      SHA512

      100b1020ac2d67b10d5ff7f7b3423b0706fa0250c90dad9d0155064e52ab6bb2226e8cd9be4ea5e8eba91b91d5f399e82ec166fef0a9fef3cccc35963113fda1

      Download Submit

    • C:\Program Files (x86)\Common Files\Adobe\ArainsToolser\arphadump.dll
      Filesize

      7.2MB

      MD5

      e4ac1288b36eb34ec356012716573a5c

      SHA1

      dfaf779547b3989d72f75a91dbba20a3a15d4b96

      SHA256

      9e10d98024db6f6748433918288232cc1e55bea916146729be40dc0e53615393

      SHA512

      5f6921a62bee16a695215ead02fa10f6ae7ec844c9826a063824487519e03b0c674f6802273f13cb23e1daca2f7e9b9b723359d2b9aa9183821ec1234a334463

      Download Submit

    • memory/1732-66-0x0000000000200000-0x0000000000236000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1732-2-0x0000000000200000-0x0000000000236000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1732-3-0x0000000000200000-0x0000000000236000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1732-5-0x0000000000200000-0x0000000000236000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1732-0-0x0000000001C60000-0x0000000001D60000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2840-37-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-41-0x0000000000110000-0x0000000000130000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2840-83-0x00000000003C0000-0x00000000003F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2840-43-0x0000000000130000-0x0000000000132000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2840-44-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-45-0x00000000003C0000-0x00000000003F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2840-67-0x00000000003C0000-0x00000000003F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2840-61-0x00000000003C0000-0x00000000003F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2840-63-0x00000000003C0000-0x00000000003F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2840-60-0x00000000003C0000-0x00000000003F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2840-59-0x00000000003C0000-0x00000000003F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2840-58-0x00000000000F0000-0x00000000000F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-47-0x00000000003C0000-0x00000000003F6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2844-27-0x0000000000250000-0x0000000000286000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2844-71-0x0000000000250000-0x0000000000286000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2884-62-0x00000000000A0000-0x00000000000D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2884-34-0x00000000000A0000-0x00000000000D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-77-0x0000000000740000-0x0000000000776000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-82-0x0000000000740000-0x0000000000776000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-81-0x0000000000740000-0x0000000000776000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-78-0x0000000000740000-0x0000000000776000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-80-0x0000000000740000-0x0000000000776000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2936-79-0x0000000000050000-0x0000000000051000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.