Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
112s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10/07/2020, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
nxxt.exe
Resource
win7v200430
0 signatures
0 seconds
General
-
Target
nxxt.exe
-
Size
338KB
-
MD5
5a68d27a6d644b88a59ae764acaad552
-
SHA1
24f135bf0c8e0db609a39fc2a5b68e644ed1ce7c
-
SHA256
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
-
SHA512
191b216e498e1ea68d4f61b506ea08e9f4852461bb9324febbd527a16dc4eb610f43a1457e8f2482874f6b634aaadad46c20baf2944871c40f894226e3f59783
Malware Config
Signatures
-
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 272 nxxt.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1116 272 nxxt.exe 24 PID 272 wrote to memory of 1512 272 nxxt.exe 25 PID 272 wrote to memory of 1512 272 nxxt.exe 25 PID 272 wrote to memory of 1512 272 nxxt.exe 25 PID 272 wrote to memory of 1512 272 nxxt.exe 25 PID 272 wrote to memory of 1776 272 nxxt.exe 27 PID 272 wrote to memory of 1776 272 nxxt.exe 27 PID 272 wrote to memory of 1776 272 nxxt.exe 27 PID 272 wrote to memory of 1776 272 nxxt.exe 27 -
Executes dropped EXE 1 IoCs
pid Process 1116 sdhost.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk nxxt.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 272 nxxt.exe 272 nxxt.exe -
Loads dropped DLL 3 IoCs
pid Process 272 nxxt.exe 272 nxxt.exe 272 nxxt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 272 set thread context of 1116 272 nxxt.exe 24 -
NetWire RAT payload 2 IoCs
resource yara_rule behavioral1/memory/1116-1-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1116-4-0x0000000000400000-0x0000000000433000-memory.dmp netwire
Processes
-
C:\Users\Admin\AppData\Local\Temp\nxxt.exe"C:\Users\Admin\AppData\Local\Temp\nxxt.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:272 -
C:\Users\Admin\AppData\Local\Temp\sdhost.exe"C:\Users\Admin\AppData\Local\Temp\sdhost.exe"2⤵
- Executes dropped EXE
PID:1116
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/nxxt.exe" "%temp%\FolderN\name.exe" /Y2⤵PID:1512
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
PID:1776
-