Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2022, 21:59
Behavioral task
behavioral1
Sample
fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe
Resource
win10v2004-20220812-en
General
-
Target
fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe
-
Size
23KB
-
MD5
6bd895df9267c15d2a2c6d834b3b7560
-
SHA1
812b885c9088203d6a314d336561e201b894c178
-
SHA256
fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090
-
SHA512
b93aaa721683c085caf51416b593ad9e23de7fbf29951d4a72b13eba84249db9dcad8b639e6d7b486078f7b68dcde44fd7531d4341f81345fc1ce08cd6779c5f
-
SSDEEP
384:e+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZXTZX:Rm+71d5XRpcnuQx
Malware Config
Extracted
njrat
0.7d
soukaina
darkangel.no-ip.biz:5552
cf51b302c8e06855dfbe2f4a8cb4411b
-
reg_key
cf51b302c8e06855dfbe2f4a8cb4411b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1460 msnn.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4304 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf51b302c8e06855dfbe2f4a8cb4411b.exe msnn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf51b302c8e06855dfbe2f4a8cb4411b.exe msnn.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf51b302c8e06855dfbe2f4a8cb4411b = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnn.exe\" .." msnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cf51b302c8e06855dfbe2f4a8cb4411b = "\"C:\\Users\\Admin\\AppData\\Roaming\\msnn.exe\" .." msnn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe Token: 33 1460 msnn.exe Token: SeIncBasePriorityPrivilege 1460 msnn.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1932 wrote to memory of 1460 1932 fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe 85 PID 1932 wrote to memory of 1460 1932 fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe 85 PID 1932 wrote to memory of 1460 1932 fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe 85 PID 1460 wrote to memory of 4304 1460 msnn.exe 86 PID 1460 wrote to memory of 4304 1460 msnn.exe 86 PID 1460 wrote to memory of 4304 1460 msnn.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe"C:\Users\Admin\AppData\Local\Temp\fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Roaming\msnn.exe"C:\Users\Admin\AppData\Roaming\msnn.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\msnn.exe" "msnn.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4304
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD56bd895df9267c15d2a2c6d834b3b7560
SHA1812b885c9088203d6a314d336561e201b894c178
SHA256fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090
SHA512b93aaa721683c085caf51416b593ad9e23de7fbf29951d4a72b13eba84249db9dcad8b639e6d7b486078f7b68dcde44fd7531d4341f81345fc1ce08cd6779c5f
-
Filesize
23KB
MD56bd895df9267c15d2a2c6d834b3b7560
SHA1812b885c9088203d6a314d336561e201b894c178
SHA256fa1a3a022778c23dac119cce05cdae97d244ec96cb1d8840d6cec28a4c3fd090
SHA512b93aaa721683c085caf51416b593ad9e23de7fbf29951d4a72b13eba84249db9dcad8b639e6d7b486078f7b68dcde44fd7531d4341f81345fc1ce08cd6779c5f