Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25/11/2022, 23:35
Behavioral task
behavioral1
Sample
a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe
Resource
win10v2004-20221111-en
General
-
Target
a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe
-
Size
29KB
-
MD5
539fc0ec68b05fe7516850d6408ba0a3
-
SHA1
7851bcf3001ea1f930da624663f7f9f311ee1571
-
SHA256
a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06
-
SHA512
acbbdc29bb4204913736e0147754c621d1ec216a9174000fc4f58ed3238bda9c316412ead0d35f5f797ea2d31d5bfabb8160d5aa0d3474f8d72c3e256c6fe102
-
SSDEEP
384:1xUHEBl7p3hUw2s7bD55gEKemqDSqre/IDGBsbh0w4wlAokw9OhgOL1vYRGOZzSe:117bUw2C3kEcqNreHBKh0p29SgRk0
Malware Config
Extracted
njrat
0.6.4
HacKed
riyad213.sytes.net:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 768 Trojan.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1176 netsh.exe -
Loads dropped DLL 1 IoCs
pid Process 1736 a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe 768 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 768 Trojan.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1736 wrote to memory of 768 1736 a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe 28 PID 1736 wrote to memory of 768 1736 a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe 28 PID 1736 wrote to memory of 768 1736 a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe 28 PID 1736 wrote to memory of 768 1736 a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe 28 PID 768 wrote to memory of 1176 768 Trojan.exe 29 PID 768 wrote to memory of 1176 768 Trojan.exe 29 PID 768 wrote to memory of 1176 768 Trojan.exe 29 PID 768 wrote to memory of 1176 768 Trojan.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe"C:\Users\Admin\AppData\Local\Temp\a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1176
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5539fc0ec68b05fe7516850d6408ba0a3
SHA17851bcf3001ea1f930da624663f7f9f311ee1571
SHA256a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06
SHA512acbbdc29bb4204913736e0147754c621d1ec216a9174000fc4f58ed3238bda9c316412ead0d35f5f797ea2d31d5bfabb8160d5aa0d3474f8d72c3e256c6fe102
-
Filesize
29KB
MD5539fc0ec68b05fe7516850d6408ba0a3
SHA17851bcf3001ea1f930da624663f7f9f311ee1571
SHA256a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06
SHA512acbbdc29bb4204913736e0147754c621d1ec216a9174000fc4f58ed3238bda9c316412ead0d35f5f797ea2d31d5bfabb8160d5aa0d3474f8d72c3e256c6fe102
-
Filesize
29KB
MD5539fc0ec68b05fe7516850d6408ba0a3
SHA17851bcf3001ea1f930da624663f7f9f311ee1571
SHA256a9f841256176e553989ddda571efbd826e7a1290ccd915344e5cd7f3dbff0e06
SHA512acbbdc29bb4204913736e0147754c621d1ec216a9174000fc4f58ed3238bda9c316412ead0d35f5f797ea2d31d5bfabb8160d5aa0d3474f8d72c3e256c6fe102