Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23/11/2022, 19:44
Behavioral task
behavioral1
Sample
4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe
Resource
win10v2004-20220812-en
General
-
Target
4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe
-
Size
23KB
-
MD5
bc3b47fecbf0e80808958e62fbc59a13
-
SHA1
9b23b03fc5190fd5b1af5b8f9d5d55f4450f7b13
-
SHA256
4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a
-
SHA512
d046409001437f142f592634078ee7dc7414eef3dba539d11434fea0be3c50881809244426ac6f965d88f2f850f257dfb109e42ec0095947eb6559bc79c1e60c
-
SSDEEP
384:7QeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZhV:85yBVd7Rpcnus
Malware Config
Extracted
njrat
0.7d
HacKed
xtracker81.no-ip.org:1990
8b74ececc3fc6b7e3b7d1ea01fe47d6c
-
reg_key
8b74ececc3fc6b7e3b7d1ea01fe47d6c
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2028 server.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b74ececc3fc6b7e3b7d1ea01fe47d6c.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b74ececc3fc6b7e3b7d1ea01fe47d6c.exe server.exe -
Loads dropped DLL 1 IoCs
pid Process 1292 4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b74ececc3fc6b7e3b7d1ea01fe47d6c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exeᄑᄑᄑᄑᄑᄑᄑᄑ" server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8b74ececc3fc6b7e3b7d1ea01fe47d6c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exeᄑᄑᄑᄑᄑᄑᄑᄑ" server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe Token: 33 2028 server.exe Token: SeIncBasePriorityPrivilege 2028 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1292 wrote to memory of 2028 1292 4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe 27 PID 1292 wrote to memory of 2028 1292 4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe 27 PID 1292 wrote to memory of 2028 1292 4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe 27 PID 1292 wrote to memory of 2028 1292 4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe 27 PID 2028 wrote to memory of 1928 2028 server.exe 28 PID 2028 wrote to memory of 1928 2028 server.exe 28 PID 2028 wrote to memory of 1928 2028 server.exe 28 PID 2028 wrote to memory of 1928 2028 server.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe"C:\Users\Admin\AppData\Local\Temp\4f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\netsh.exenetsh firewaᅬᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑᄑC:\Users\Admin\AppData\Local\Temp\server.exeᄑᄑᄑᄑᄑᄑᄑᄑserver.exeᄑᄑᄑᄑᄑᄑᄑᄑ3⤵PID:1928
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5bc3b47fecbf0e80808958e62fbc59a13
SHA19b23b03fc5190fd5b1af5b8f9d5d55f4450f7b13
SHA2564f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a
SHA512d046409001437f142f592634078ee7dc7414eef3dba539d11434fea0be3c50881809244426ac6f965d88f2f850f257dfb109e42ec0095947eb6559bc79c1e60c
-
Filesize
23KB
MD5bc3b47fecbf0e80808958e62fbc59a13
SHA19b23b03fc5190fd5b1af5b8f9d5d55f4450f7b13
SHA2564f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a
SHA512d046409001437f142f592634078ee7dc7414eef3dba539d11434fea0be3c50881809244426ac6f965d88f2f850f257dfb109e42ec0095947eb6559bc79c1e60c
-
Filesize
23KB
MD5bc3b47fecbf0e80808958e62fbc59a13
SHA19b23b03fc5190fd5b1af5b8f9d5d55f4450f7b13
SHA2564f11fe373c27b39ff2eba9f951eec263f10a6d16fce7eefa5d979180859d0c3a
SHA512d046409001437f142f592634078ee7dc7414eef3dba539d11434fea0be3c50881809244426ac6f965d88f2f850f257dfb109e42ec0095947eb6559bc79c1e60c