Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6d1e9bdbe3...eN.exe

windows7-x64

10

6d1e9bdbe3...eN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/11/2024, 09:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d1e9bdbe3b17d3f38b48f35501b26a9059159298c0196f0cb5a0a0de99fc8aeN.exe

  • Size

    90KB

  • MD5

    1be917436f2b88f6b47de91fc0d10920

  • SHA1

    9c986ab8a360357a9ef2ef787f9521e9d6f06a8d

  • SHA256

    6d1e9bdbe3b17d3f38b48f35501b26a9059159298c0196f0cb5a0a0de99fc8ae

  • SHA512

    fffd8437176354215b6642dbf21e8a32a816ab6bd312a96eeae1e1f91edf2b61904d7750a27c9df44b3d5289e63d613530eaaa1d04d16bc94eae28331c9f7fc1

  • SSDEEP

    1536:ebRiQMb57SK3bUzZdQ1iIMvnZlbLxjV3AGq5gWlocT1wzySsd9NJ33J:ebR057SKsstcnZTJQDgWPaySsdH5Z

Score
10/10
arrowratarrowratdiscoverypersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

ArrowRAT

C2

hypersh.duckdns.org:5558

Mutex

DjTfbajvJ.exe

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Arrowrat family
    arrowrat
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d1e9bdbe3b17d3f38b48f35501b26a9059159298c0196f0cb5a0a0de99fc8aeN.exe
    "C:\Users\Admin\AppData\Local\Temp\6d1e9bdbe3b17d3f38b48f35501b26a9059159298c0196f0cb5a0a0de99fc8aeN.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\system32\ctfmon.exe
        ctfmon.exe
        3⤵
          PID:2272
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ArrowRAT hypersh.duckdns.org 5558 DjTfbajvJ.exe
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2992

    Network

    • flag-us
      DNS
      hypersh.duckdns.org
      cvtres.exe
      Remote address:
      8.8.8.8:53
      Request
      hypersh.duckdns.org
      IN A
      Response
      hypersh.duckdns.org
      IN A
      89.117.23.25
    • flag-us
      DNS
      hypersh.duckdns.org
      cvtres.exe
      Remote address:
      8.8.8.8:53
      Request
      hypersh.duckdns.org
      IN A
      Response
      hypersh.duckdns.org
      IN A
      89.117.23.25
    • flag-us
      DNS
      hypersh.duckdns.org
      cvtres.exe
      Remote address:
      8.8.8.8:53
      Request
      hypersh.duckdns.org
      IN A
      Response
      hypersh.duckdns.org
      IN A
      89.117.23.25
    • 89.117.23.25:5558
      hypersh.duckdns.org
      cvtres.exe
      152 B
       3
    • 89.117.23.25:5558
      hypersh.duckdns.org
      cvtres.exe
      152 B
       3
    • 89.117.23.25:5558
      hypersh.duckdns.org
      cvtres.exe
      152 B
       3
    • 89.117.23.25:5558
      hypersh.duckdns.org
      cvtres.exe
      152 B
       3
    • 89.117.23.25:5558
      hypersh.duckdns.org
      cvtres.exe
      152 B
       3
    • 89.117.23.25:5558
      hypersh.duckdns.org
      cvtres.exe
      152 B
       3
    • 89.117.23.25:5558
      hypersh.duckdns.org
      cvtres.exe
      152 B
       3
    • 8.8.8.8:53
      hypersh.duckdns.org
      dns
      cvtres.exe
      65 B
       81 B
       1
      1

      DNS Request

      hypersh.duckdns.org

      DNS Response

      89.117.23.25

    • 8.8.8.8:53
      hypersh.duckdns.org
      dns
      cvtres.exe
      65 B
       81 B
       1
      1

      DNS Request

      hypersh.duckdns.org

      DNS Response

      89.117.23.25

    • 8.8.8.8:53
      hypersh.duckdns.org
      dns
      cvtres.exe
      65 B
       81 B
       1
      1

      DNS Request

      hypersh.duckdns.org

      DNS Response

      89.117.23.25

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1288-0-0x0000000073E9E000-0x0000000073E9F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1288-1-0x0000000000D60000-0x0000000000D7C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2244-18-0x0000000002A30000-0x0000000002A40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2992-11-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2992-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2992-8-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2992-6-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2992-4-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2992-2-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2992-14-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2992-12-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.