Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28/10/2022, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe
Resource
win7-20220812-en
General
-
Target
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe
-
Size
83KB
-
MD5
0acd52a5eca19fdfd3c23682a1565500
-
SHA1
c040443641a2c61b5b67fc3ad235f38cad4d7089
-
SHA256
b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998
-
SHA512
bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0
-
SSDEEP
1536:OOdnis2oXPfq+ZCcXrz5izuVId/eVtF/1YadXenbooNPqc3soAI3QN0qSS:OOdnis2oX3q+Mcb11Y/e/F/1YSU5NPqV
Malware Config
Extracted
njrat
0.6.4
HacKed
xplackx.no-ip.biz:1177
08f4dc96bbb7af09d1a37fe35c75a42f
-
reg_key
08f4dc96bbb7af09d1a37fe35c75a42f
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1548 netsh.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2020 set thread context of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe Token: 33 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe Token: SeIncBasePriorityPrivilege 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29 PID 2020 wrote to memory of 976 2020 b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe"C:\Users\Admin\AppData\Local\Temp\b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exeC:\Users\Admin\AppData\Local\Temp\b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998.exe2⤵PID:976
-
-
C:\Users\Admin\AppData\Local\Temp\explorer.exe"C:\Users\Admin\AppData\Local\Temp\explorer.exe"1⤵PID:1104
-
C:\Users\Admin\AppData\Local\Temp\explorer.exeC:\Users\Admin\AppData\Local\Temp\explorer.exe2⤵PID:520
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE1⤵
- Modifies Windows Firewall
PID:1548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
83KB
MD50acd52a5eca19fdfd3c23682a1565500
SHA1c040443641a2c61b5b67fc3ad235f38cad4d7089
SHA256b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998
SHA512bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0
-
Filesize
83KB
MD50acd52a5eca19fdfd3c23682a1565500
SHA1c040443641a2c61b5b67fc3ad235f38cad4d7089
SHA256b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998
SHA512bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0
-
Filesize
83KB
MD50acd52a5eca19fdfd3c23682a1565500
SHA1c040443641a2c61b5b67fc3ad235f38cad4d7089
SHA256b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998
SHA512bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0
-
Filesize
83KB
MD50acd52a5eca19fdfd3c23682a1565500
SHA1c040443641a2c61b5b67fc3ad235f38cad4d7089
SHA256b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998
SHA512bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0
-
Filesize
83KB
MD50acd52a5eca19fdfd3c23682a1565500
SHA1c040443641a2c61b5b67fc3ad235f38cad4d7089
SHA256b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998
SHA512bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0
-
Filesize
83KB
MD50acd52a5eca19fdfd3c23682a1565500
SHA1c040443641a2c61b5b67fc3ad235f38cad4d7089
SHA256b38b021a1c25c05b6817a52e0ad8b36a8b64000db99e1b066114b30e28084998
SHA512bdef13b46a37007330ecb2c3570eda3f3db3fad138a70f91cbbaf1e1563188e7485106048f79aca92d8396a6a5bf37c75a97592fdd2ebcd7aae363fd057a9ba0