Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 15:27
Static task
static1
Behavioral task
behavioral1
Sample
3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe
Resource
win10v2004-20220812-en
General
-
Target
3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe
-
Size
270KB
-
MD5
6e9b21506f657614800e3893b2954e80
-
SHA1
5b41d28b20a29996be71d1776637591c09200c2a
-
SHA256
3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc
-
SHA512
bffa7110047b6596b6635b92dd6869c0d9e17d39f65281f85507b6ee3fdd9a060b37ef14e1a077719614c3ca042237901cfcb83b6c9a08f2dcca42a7781e37d9
-
SSDEEP
6144:jDKW1Lgbdl0TBBvjc/J0Lv5Usy19CX/7y2cznP:3h1Lk70TnvjcB0bHy2yRT
Malware Config
Extracted
njrat
0.6.4
HacKed
superstart.myq-see.com:1177
8bb662d6a258d1485dea4aedcf4aeffe
-
reg_key
8bb662d6a258d1485dea4aedcf4aeffe
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 856 475.exe 1864 AppData.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 996 netsh.exe -
Loads dropped DLL 2 IoCs
pid Process 1724 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe 856 475.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\8bb662d6a258d1485dea4aedcf4aeffe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppData.exe\" .." AppData.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8bb662d6a258d1485dea4aedcf4aeffe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppData.exe\" .." AppData.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1864 AppData.exe 1864 AppData.exe 1864 AppData.exe 1864 AppData.exe 1864 AppData.exe 1864 AppData.exe 1864 AppData.exe 1864 AppData.exe 1864 AppData.exe 1864 AppData.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1724 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe Token: SeDebugPrivilege 1864 AppData.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1724 wrote to memory of 856 1724 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe 27 PID 1724 wrote to memory of 856 1724 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe 27 PID 1724 wrote to memory of 856 1724 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe 27 PID 1724 wrote to memory of 856 1724 3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe 27 PID 856 wrote to memory of 1864 856 475.exe 28 PID 856 wrote to memory of 1864 856 475.exe 28 PID 856 wrote to memory of 1864 856 475.exe 28 PID 856 wrote to memory of 1864 856 475.exe 28 PID 1864 wrote to memory of 996 1864 AppData.exe 29 PID 1864 wrote to memory of 996 1864 AppData.exe 29 PID 1864 wrote to memory of 996 1864 AppData.exe 29 PID 1864 wrote to memory of 996 1864 AppData.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe"C:\Users\Admin\AppData\Local\Temp\3e52e49f1c0ea5cdeb5314f894f481c553b3841eec4c0a2ba8b5aa183affd3fc.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\475.exeC:\Users\Admin\AppData\Local\Temp\475.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\AppData.exe"C:\Users\Admin\AppData\Local\Temp\AppData.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\AppData.exe" "AppData.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:996
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f
-
Filesize
29KB
MD504d514fd111108a2779ce9cf1c309a6c
SHA167caefd124d7abd73f4f8bc0c227c1b17f28c06d
SHA2567aacc883ad4aa7c0c6edf46d64380adf2ec9bfa7f8b6dfe2c0ac2b973bd6873b
SHA51238b22748e9e19780503584e3e7a6566c30acd259988bc6f5abfb181f81ff6666934c4b0ae54e3a835542e7a0b1becbcb9e632d8c964662a95729238ddf6d8a2f