Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
191s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11/10/2022, 18:56
Static task
static1
Behavioral task
behavioral1
Sample
625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
Resource
win10v2004-20220812-en
General
-
Target
625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe
-
Size
541KB
-
MD5
61a8e83691cb299b433e8d64d67b9a40
-
SHA1
0141851caeba0713360c2749a45fff89589c3a96
-
SHA256
625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265
-
SHA512
b9a449049a3f5c325eec18ff22b4a67825af6e2c593be225225169ee09d6c3985e5e2eca79a145cf8d841d093c943f107b7823f69c653e377124d7ffa819cb5d
-
SSDEEP
768:/Z1C/HjNmImp8k9RV4+RiHdxOnW5MedsruJDWaS77BKbwexZw32SLg0innjhyVT5:ax/mT9j2WW5MeGD7BKb7+it2N
Malware Config
Extracted
njrat
0.7d
Fucked By Danger
127.0.0.1:1991
d81f5bf87f47c65c5403827c84b087b7
-
reg_key
d81f5bf87f47c65c5403827c84b087b7
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1952 465.exe 1224 VS.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1168 netsh.exe -
Loads dropped DLL 1 IoCs
pid Process 996 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1640 set thread context of 996 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe Token: SeDebugPrivilege 1224 VS.exe Token: 33 1224 VS.exe Token: SeIncBasePriorityPrivilege 1224 VS.exe Token: 33 1224 VS.exe Token: SeIncBasePriorityPrivilege 1224 VS.exe Token: 33 1224 VS.exe Token: SeIncBasePriorityPrivilege 1224 VS.exe Token: 33 1224 VS.exe Token: SeIncBasePriorityPrivilege 1224 VS.exe Token: 33 1224 VS.exe Token: SeIncBasePriorityPrivilege 1224 VS.exe Token: 33 1224 VS.exe Token: SeIncBasePriorityPrivilege 1224 VS.exe Token: 33 1224 VS.exe Token: SeIncBasePriorityPrivilege 1224 VS.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1640 wrote to memory of 996 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 28 PID 1640 wrote to memory of 996 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 28 PID 1640 wrote to memory of 996 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 28 PID 1640 wrote to memory of 996 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 28 PID 1640 wrote to memory of 996 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 28 PID 1640 wrote to memory of 996 1640 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 28 PID 996 wrote to memory of 1952 996 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 30 PID 996 wrote to memory of 1952 996 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 30 PID 996 wrote to memory of 1952 996 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 30 PID 996 wrote to memory of 1952 996 625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe 30 PID 1952 wrote to memory of 1224 1952 465.exe 32 PID 1952 wrote to memory of 1224 1952 465.exe 32 PID 1952 wrote to memory of 1224 1952 465.exe 32 PID 1224 wrote to memory of 1168 1224 VS.exe 33 PID 1224 wrote to memory of 1168 1224 VS.exe 33 PID 1224 wrote to memory of 1168 1224 VS.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe"C:\Users\Admin\AppData\Local\Temp\625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exeC:\Users\Admin\AppData\Local\Temp\625b1d03e46f7f850dc9be6aaa27a8d07770049102ecace06cb5326412022265.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Local\Temp\465.exeC:\Users\Admin\AppData\Local\Temp\465.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\VS.exe"C:\Users\Admin\AppData\Local\Temp\VS.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\VS.exe" "VS.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:1168
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5e5410b378e88e3ca80ae401662b1e505
SHA17c6fb2ea50c58b2a1e7df1103a47d944feb4eefc
SHA256016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d
SHA5124e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4
-
Filesize
20KB
MD5e5410b378e88e3ca80ae401662b1e505
SHA17c6fb2ea50c58b2a1e7df1103a47d944feb4eefc
SHA256016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d
SHA5124e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4
-
Filesize
20KB
MD5e5410b378e88e3ca80ae401662b1e505
SHA17c6fb2ea50c58b2a1e7df1103a47d944feb4eefc
SHA256016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d
SHA5124e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4
-
Filesize
20KB
MD5e5410b378e88e3ca80ae401662b1e505
SHA17c6fb2ea50c58b2a1e7df1103a47d944feb4eefc
SHA256016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d
SHA5124e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4
-
Filesize
20KB
MD5e5410b378e88e3ca80ae401662b1e505
SHA17c6fb2ea50c58b2a1e7df1103a47d944feb4eefc
SHA256016b7152f5a31abacd69fc9d0d0ba785e7c81918375811d0458b8365b080047d
SHA5124e0ac1154b272627785898c23362dd244f3fd3283b8b0f3cc5a3f8bfbe889bd2ed9ff87c5bf0c078ea315eeba65eab12a1c689bc3e17fa7ef345dd5ede7672a4