Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 07:50
Static task
static1
Behavioral task
behavioral1
Sample
T.T_Copy.12.18.2024.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
T.T_Copy.12.18.2024.exe
Resource
win10v2004-20241007-en
General
-
Target
T.T_Copy.12.18.2024.exe
-
Size
1.2MB
-
MD5
4542c9e57e9d955244262c035aaffe94
-
SHA1
3dfade02ec7892ebdfa977c25354a352e0c55f56
-
SHA256
98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a
-
SHA512
ac1a22980f414a1b81700c88cd298ad039fd66e563067d14f5a8ea979e0cb2004d63b1246d1a0378ec883d9c3432789b2e3bcff963358e81010c55ee562e2ad9
-
SSDEEP
24576:INA3R5drXPU/S9abXnZZKBlxr89Wvz4csbmDEbOBVXLzR6t2oE+Lyjx:h52LGBlxRJsiDV7V60onud
Malware Config
Extracted
arrowrat
Client01
127.0.0.1:1338
OSHPAW
Signatures
-
Arrowrat family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\ZO5WB9\\I4R41F.exe" zdfhrgzd.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 6 IoCs
pid Process 2764 dfbzdfb.sfx.exe 2452 dfbzdfb.exe 2284 zdfhrgzd.sfx.exe 2716 zdfhrgzd.exe 840 zdfhrgzd.exe 1656 zdfhrgzd.exe -
Loads dropped DLL 9 IoCs
pid Process 2056 cmd.exe 2764 dfbzdfb.sfx.exe 2764 dfbzdfb.sfx.exe 2764 dfbzdfb.sfx.exe 1252 cmd.exe 2284 zdfhrgzd.sfx.exe 2284 zdfhrgzd.sfx.exe 2284 zdfhrgzd.sfx.exe 2284 zdfhrgzd.sfx.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2716 set thread context of 840 2716 zdfhrgzd.exe 39 PID 2716 set thread context of 1656 2716 zdfhrgzd.exe 40 PID 1656 set thread context of 108 1656 zdfhrgzd.exe 44 PID 840 set thread context of 328 840 zdfhrgzd.exe 43 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zdfhrgzd.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zdfhrgzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zdfhrgzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language T.T_Copy.12.18.2024.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfbzdfb.sfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfbzdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zdfhrgzd.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 840 zdfhrgzd.exe 1656 zdfhrgzd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2320 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2716 zdfhrgzd.exe Token: SeDebugPrivilege 840 zdfhrgzd.exe Token: SeDebugPrivilege 1656 zdfhrgzd.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe Token: SeShutdownPrivilege 1644 explorer.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe 1644 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2320 AcroRd32.exe 2320 AcroRd32.exe 2320 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2056 2336 T.T_Copy.12.18.2024.exe 30 PID 2336 wrote to memory of 2056 2336 T.T_Copy.12.18.2024.exe 30 PID 2336 wrote to memory of 2056 2336 T.T_Copy.12.18.2024.exe 30 PID 2336 wrote to memory of 2056 2336 T.T_Copy.12.18.2024.exe 30 PID 2056 wrote to memory of 2764 2056 cmd.exe 32 PID 2056 wrote to memory of 2764 2056 cmd.exe 32 PID 2056 wrote to memory of 2764 2056 cmd.exe 32 PID 2056 wrote to memory of 2764 2056 cmd.exe 32 PID 2764 wrote to memory of 2452 2764 dfbzdfb.sfx.exe 33 PID 2764 wrote to memory of 2452 2764 dfbzdfb.sfx.exe 33 PID 2764 wrote to memory of 2452 2764 dfbzdfb.sfx.exe 33 PID 2764 wrote to memory of 2452 2764 dfbzdfb.sfx.exe 33 PID 2452 wrote to memory of 1252 2452 dfbzdfb.exe 34 PID 2452 wrote to memory of 1252 2452 dfbzdfb.exe 34 PID 2452 wrote to memory of 1252 2452 dfbzdfb.exe 34 PID 2452 wrote to memory of 1252 2452 dfbzdfb.exe 34 PID 2452 wrote to memory of 2320 2452 dfbzdfb.exe 36 PID 2452 wrote to memory of 2320 2452 dfbzdfb.exe 36 PID 2452 wrote to memory of 2320 2452 dfbzdfb.exe 36 PID 2452 wrote to memory of 2320 2452 dfbzdfb.exe 36 PID 1252 wrote to memory of 2284 1252 cmd.exe 37 PID 1252 wrote to memory of 2284 1252 cmd.exe 37 PID 1252 wrote to memory of 2284 1252 cmd.exe 37 PID 1252 wrote to memory of 2284 1252 cmd.exe 37 PID 2284 wrote to memory of 2716 2284 zdfhrgzd.sfx.exe 38 PID 2284 wrote to memory of 2716 2284 zdfhrgzd.sfx.exe 38 PID 2284 wrote to memory of 2716 2284 zdfhrgzd.sfx.exe 38 PID 2284 wrote to memory of 2716 2284 zdfhrgzd.sfx.exe 38 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 840 2716 zdfhrgzd.exe 39 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 2716 wrote to memory of 1656 2716 zdfhrgzd.exe 40 PID 1656 wrote to memory of 1644 1656 zdfhrgzd.exe 41 PID 1656 wrote to memory of 1644 1656 zdfhrgzd.exe 41 PID 1656 wrote to memory of 1644 1656 zdfhrgzd.exe 41 PID 1656 wrote to memory of 1644 1656 zdfhrgzd.exe 41 PID 840 wrote to memory of 2188 840 zdfhrgzd.exe 42 PID 840 wrote to memory of 2188 840 zdfhrgzd.exe 42 PID 840 wrote to memory of 2188 840 zdfhrgzd.exe 42 PID 840 wrote to memory of 2188 840 zdfhrgzd.exe 42 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 1656 wrote to memory of 108 1656 zdfhrgzd.exe 44 PID 840 wrote to memory of 328 840 zdfhrgzd.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe"C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exedfbzdfb.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe"C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\zdsthsxu.bat" "5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exezdfhrgzd.sfx.exe -dC:\Users\Admin\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe"C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\zdfhrgzd.exeC:\Users\Admin\AppData\Roaming\zdfhrgzd.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"9⤵PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW9⤵
- System Location Discovery: System Language Discovery
PID:328
-
-
-
C:\Users\Admin\AppData\Roaming\zdfhrgzd.exeC:\Users\Admin\AppData\Roaming\zdfhrgzd.exe8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644 -
C:\Windows\system32\ctfmon.exectfmon.exe10⤵PID:2224
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW9⤵
- System Location Discovery: System Language Discovery
PID:108
-
-
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\mts103wift.pdf"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
778KB
MD506eb0777fca570612c196d90f0499213
SHA1047a0a9434594cf652559d0813c5f5c93b58240f
SHA2564802023516756de90b9bf7cf9987eb139bde5a6fa74197096261781584927caf
SHA51243ae3398acdb406102b0f8178fb4eccbe48938601657da626bb89db5a4406c76a2269bd48121b0983e4e0c3e7aa9ca6d87621e7a508a16ace10781e4e2bee155
-
Filesize
18KB
MD5dabe7144df4dfbd438fc298b12fe4c36
SHA1317542f096111dade642f3037cc315f156502b6c
SHA256341d002e13527d35797fb578b00f936c0dc7160c42bab945d0c8a26ee769f0d3
SHA512f402f5ad42034a9fe8cf846ceb7c0b254b73408d3fb3b54358d37a2591b0ab1be5f236856518e74370ef623eac08f36636253334724b3fa34282f18109c6ac1a
-
Filesize
3KB
MD55af808f6b49df05bac8e525200076105
SHA16332b04902aa4806dd5e65c52f2595fee13ccb75
SHA2561621ec06f35233d99f8f9bb39b8e7199489e750ff99a08fb61ba89525e44fd23
SHA512a85bbda7004b3ff67fe3b36f96403265dea9490e27e4d29e289f2f71908236ee03fcf22643b83b6540bf9fb9cbc1fdd811da7ba971a1b284de2f39c6a83fc6e5
-
Filesize
43KB
MD5f10334c1dc5e4aec8fffd10387397af2
SHA1a520e2e581be33181af241dab80799813bda5785
SHA256307dd5cbcabfcbfd86b65b45f70fb5fc349b861593b74f36ff6416dd5aa44d1e
SHA5122da918d25e6c50ac2423951b161b9c84833e1d06a978043c7a2ca88952ee625e4a0d3886135d112c846159c80e4ab59862ed95e14d8de9dd3930c6232bd6aecc
-
Filesize
609KB
MD5f59872e2fcc71ef9eb742e3792c37a76
SHA18d1fc98643fae35a3f81a18e20fbfa708f04eca4
SHA256f483a26d822aa187a37651ceb7ac83cb87ae827501add4cb43001a6b84538380
SHA512156c64dcadc098902c0bb238a5f969aec9110ec1f83f6677204e49172461ab1f1fbd57e3b5b19b2f53ed4fd3c9e7568d7dd15dbb961b6c6f5f62b6b16d47eae2
-
Filesize
16KB
MD58fc1f8bb8306146a314528098c110ee3
SHA12330121e717650009b311a2605c68d62e39ca1e2
SHA256ae520ec2cf0a324d9b23b14a9c8c6cc28348f8edd17d7b515d5ee07fea0237f9
SHA5128f233fff9b11738e10dfffd87d1de5905b4c7f4ddf04f8ae5e28d1d6f6265be6898ef31a7ef94f42a38974d4add496dfeb8e0920597140fe0886f5e95fdb6e13
-
Filesize
923KB
MD53181c79bfcb07a0b43a020f22641f2b2
SHA1a68ad92a42a1ccd8fd48737050a3e5fd459ccd08
SHA256b932bc36f90d2fba9841cdb8bcaff7a0b7ccfecfe41f1d13ac5bfb6dbd241a04
SHA5123ef8c85f12815523dabb865e32ea493f57d5e227aaabcccf96ca1c54eaf09e5bb81fafd18daa9d54121cf7ee20f6f5604e7ecf623c42f3c48df27e60cebe4bc8
-
Filesize
503KB
MD5ec0967a3e53d490e8e1ce811ce53d003
SHA18330c2aad5c238a5bdfd07a63349f071d9117e41
SHA256af31317870dc15d70a14de5a05ad945b4b0920738c0c00e9b3d0c06d2b808275
SHA5122d663cab58b3adb893514cec91862f7819390f79e3c83e2a194c0ac7a28fd72efcfe6afe81aad88734180119550128888e918ac5e0290d460f06771fde909a51