Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2023, 03:11
Static task
static1
Behavioral task
behavioral1
Sample
c4cfbb0106571122d1cc4364513e7803.exe
Resource
win7-20230220-en
General
-
Target
c4cfbb0106571122d1cc4364513e7803.exe
-
Size
596KB
-
MD5
c4cfbb0106571122d1cc4364513e7803
-
SHA1
1a3a7b1357ed56b0183d03ee4b859659cc68f986
-
SHA256
a54a3ca8ce01f7e9855d4d47d35bc82520ebd8d16a77df24e398b220d86d445d
-
SHA512
36a13d91a28d051fbf7c611d3c6ef7014ee8bcddc2ce5bca72f094f70bd0dbfb99a50025455203f0fabb60c61afc89aabf2e41f70aac5349372a146500eaefaa
-
SSDEEP
12288:ugZXEAO/BUdG3gVdt7KT4OIC4J84wHM5Qiu62PJr+ymhm:ugZXoZUTVdt7KTxoSs5QhCymhm
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
2.tcp.eu.ngrok.io:19328
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation c4cfbb0106571122d1cc4364513e7803.exe Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation mrx.exe -
Executes dropped EXE 2 IoCs
pid Process 3540 mrx.exe 4268 mrx.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3540 mrx.exe 4268 mrx.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe Token: 33 4268 mrx.exe Token: SeIncBasePriorityPrivilege 4268 mrx.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2076 wrote to memory of 3540 2076 c4cfbb0106571122d1cc4364513e7803.exe 82 PID 2076 wrote to memory of 3540 2076 c4cfbb0106571122d1cc4364513e7803.exe 82 PID 2076 wrote to memory of 3540 2076 c4cfbb0106571122d1cc4364513e7803.exe 82 PID 3540 wrote to memory of 4268 3540 mrx.exe 88 PID 3540 wrote to memory of 4268 3540 mrx.exe 88 PID 3540 wrote to memory of 4268 3540 mrx.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4cfbb0106571122d1cc4364513e7803.exe"C:\Users\Admin\AppData\Local\Temp\c4cfbb0106571122d1cc4364513e7803.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\mrx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\mrx.exe"C:\Users\Admin\AppData\Local\Temp\mrx.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD525d1b50e7c0d451f3d850eb54d27ca05
SHA1a238807715c70a335f54e80d4855644b21a9e870
SHA256650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5
SHA5124223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5
-
Filesize
43KB
MD57bc43f36b07c8b1de174daf7f4ead29b
SHA1700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31
SHA256c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff
SHA51254169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a
-
Filesize
43KB
MD57bc43f36b07c8b1de174daf7f4ead29b
SHA1700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31
SHA256c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff
SHA51254169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a
-
Filesize
43KB
MD57bc43f36b07c8b1de174daf7f4ead29b
SHA1700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31
SHA256c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff
SHA51254169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a
-
Filesize
43KB
MD57bc43f36b07c8b1de174daf7f4ead29b
SHA1700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31
SHA256c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff
SHA51254169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a
-
Filesize
43KB
MD57bc43f36b07c8b1de174daf7f4ead29b
SHA1700a9e8e4a8a0cd8f7b3b1c58ebf5e47dfa7ec31
SHA256c28550985ad9088407d8149d7d37155c97f10a461581c8a570bb082436596aff
SHA51254169b096eb83782316ea605c391ee70c00099292fdecffff72656989f9eb0ed2d5448f4eb0374d3426c5c7e1d964d2634cd46beedd70aebf7417c28bcdefe8a