Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
171s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25/11/2022, 17:39
Behavioral task
behavioral1
Sample
beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe
Resource
win10v2004-20221111-en
General
-
Target
beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe
-
Size
276KB
-
MD5
2c6e1a9de503a7d08d02b6370501531b
-
SHA1
9e33bb585aa23045fb834c4023029c9ab4a28e99
-
SHA256
beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c
-
SHA512
dad86e43844dbc0831886908d8e5bb30b1380c8733e4386671900409e73219b98988e40a04f0a90105e3e69f1e725794a26fe56436b4f40abd82b3b64f3d6ba3
-
SSDEEP
6144:6OBe0K5uUYVbcuKTlbGbpshywoul5K9x4FNADPETTEeLN:zbguGuwlbPhVlQINqVeLN
Malware Config
Extracted
njrat
0.7d
hunar83
farman33.no-ip.biz:5552
934765b6ad06834b303835a4e1d1d5a2
-
reg_key
934765b6ad06834b303835a4e1d1d5a2
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3900 Server.exe 4732 icon disk top.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1640 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\934765b6ad06834b303835a4e1d1d5a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\icon disk top.exe\" .." icon disk top.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\934765b6ad06834b303835a4e1d1d5a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\icon disk top.exe\" .." icon disk top.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998843" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c9748000000000200000000001066000000010000200000009e4ba09fa388e4535ecf47b486408e3df0d50958df487037566c4352b493577c000000000e80000000020000200000000b1d8ccb7aba7a9d25b28366a23ba5b6975a78474f821621a330c277eba518b320000000af89be13b03b069fef01828f85a13784e1d762971aac0b66d4fd9cd9d614a8e040000000dfb6e6b068798c208b2e2628a3f4cc8726d00adee9e7681f033e22e74b277f0dacfb6f7828cc1f48ca7727550fc10740cee829579478e57170af4eea220a4273 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998843" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376193463" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{21388F0B-6D2F-11ED-919F-F675107A8182} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0184b113c01d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4128854690" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3091ec073c01d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e6851ef31fd3cf49b332bbb4721c974800000000020000000000106600000001000020000000dbae027b18f6ab9c1da1abc133fa04a4400d4dd7e71771b784e8e4ab8207f3ee000000000e8000000002000020000000ca38c8ede01c078537f21f5a06712880d2506f2d1709a0de14e1f31104623d042000000097015592dc101913fe4b80ec36003be3cd4ff7fcd696a159594d076fd151b8c74000000051f59fc2eb9a622e321e0dabb0ec3567295b18c56dab97f27038ead0d552b37c796e2d4e6b674883a210141c573aeb29a0e63d6739bc049eb01dd6dcf9d2593a iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4128854690" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeDebugPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe Token: 33 4732 icon disk top.exe Token: SeIncBasePriorityPrivilege 4732 icon disk top.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 400 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 400 iexplore.exe 400 iexplore.exe 1496 IEXPLORE.EXE 1496 IEXPLORE.EXE 1496 IEXPLORE.EXE 1496 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 260 wrote to memory of 3900 260 beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe 84 PID 260 wrote to memory of 3900 260 beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe 84 PID 260 wrote to memory of 3900 260 beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe 84 PID 260 wrote to memory of 400 260 beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe 85 PID 260 wrote to memory of 400 260 beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe 85 PID 400 wrote to memory of 1496 400 iexplore.exe 86 PID 400 wrote to memory of 1496 400 iexplore.exe 86 PID 400 wrote to memory of 1496 400 iexplore.exe 86 PID 3900 wrote to memory of 4732 3900 Server.exe 88 PID 3900 wrote to memory of 4732 3900 Server.exe 88 PID 3900 wrote to memory of 4732 3900 Server.exe 88 PID 4732 wrote to memory of 1640 4732 icon disk top.exe 90 PID 4732 wrote to memory of 1640 4732 icon disk top.exe 90 PID 4732 wrote to memory of 1640 4732 icon disk top.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe"C:\Users\Admin\AppData\Local\Temp\beb8d9619b3b016900226e8c797123b2710c82c9d8f1d20baecb0ffa089eb74c.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:260 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\icon disk top.exe"C:\Users\Admin\AppData\Local\Temp\icon disk top.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\icon disk top.exe" "icon disk top.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1640
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Barcelona%2525252Bv%2525252.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:400 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD5fa80ec857b5a262bf80a869c8ee6412c
SHA1082d3bda5dca464a5c1c80b66ea5087c6ceb92a1
SHA2566eacf4d1230ee097103b2deb54e94ff8a66f3693ddedf514e6b674f9e1944075
SHA5125658c0720f6982f4cd28510a787a4bd5e484de5822b0b84066e67ee1bcc6cd2521f9650aa119dc090f3b5fda142384fa65d4f4fedeea9fa75d34b1ca75268e88
-
Filesize
23KB
MD5ff427e7e5834822a0448d35950c6f1e7
SHA1bf4fcd87c6a37fd058d6b48115a508325d9cef6a
SHA2567210ff1920b071c8595803241d874db80bb72f0e6524c6a97dff6e372f96d646
SHA5121c8edd1618cea4839e0284a4ef01561e1b2e013048ddf24f7a8dce6feac9943fdaba4c4fd2244d8f615be58e10fad0412cfc75409c43a02382c15686769d4f3f
-
Filesize
23KB
MD5ff427e7e5834822a0448d35950c6f1e7
SHA1bf4fcd87c6a37fd058d6b48115a508325d9cef6a
SHA2567210ff1920b071c8595803241d874db80bb72f0e6524c6a97dff6e372f96d646
SHA5121c8edd1618cea4839e0284a4ef01561e1b2e013048ddf24f7a8dce6feac9943fdaba4c4fd2244d8f615be58e10fad0412cfc75409c43a02382c15686769d4f3f
-
Filesize
23KB
MD5ff427e7e5834822a0448d35950c6f1e7
SHA1bf4fcd87c6a37fd058d6b48115a508325d9cef6a
SHA2567210ff1920b071c8595803241d874db80bb72f0e6524c6a97dff6e372f96d646
SHA5121c8edd1618cea4839e0284a4ef01561e1b2e013048ddf24f7a8dce6feac9943fdaba4c4fd2244d8f615be58e10fad0412cfc75409c43a02382c15686769d4f3f
-
Filesize
23KB
MD5ff427e7e5834822a0448d35950c6f1e7
SHA1bf4fcd87c6a37fd058d6b48115a508325d9cef6a
SHA2567210ff1920b071c8595803241d874db80bb72f0e6524c6a97dff6e372f96d646
SHA5121c8edd1618cea4839e0284a4ef01561e1b2e013048ddf24f7a8dce6feac9943fdaba4c4fd2244d8f615be58e10fad0412cfc75409c43a02382c15686769d4f3f