Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15/06/2023, 17:04
Behavioral task
behavioral1
Sample
1phc1YJN.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
1phc1YJN.exe
Resource
win10v2004-20230220-en
General
-
Target
1phc1YJN.exe
-
Size
37KB
-
MD5
fb0bdd758f8a9f405e6af2358da06ae1
-
SHA1
6c283ab5e49e6fe3a93a996f850a5639fc49e3f5
-
SHA256
9da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf
-
SHA512
71d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253
-
SSDEEP
384:NOpYoixJbl7OHg1WykrDPf7O8GsnRlrAF+rMRTyN/0L+EcoinblneHQM3epzXNsG:gpeR1NkrDPSlsRlrM+rMRa8NuPsCt
Malware Config
Extracted
njrat
im523
TrupAshot
documents-elegant.at.ply.gg:54835
4a87b5397a2736773782f50e108b2da4
-
reg_key
4a87b5397a2736773782f50e108b2da4
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 268 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe conhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe conhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1440 conhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1988 1phc1YJN.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .." conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4a87b5397a2736773782f50e108b2da4 = "\"C:\\Users\\Admin\\AppData\\Roaming\\conhost.exe\" .." conhost.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf conhost.exe File opened for modification C:\autorun.inf conhost.exe File created D:\autorun.inf conhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe 1440 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1440 conhost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe Token: 33 1440 conhost.exe Token: SeIncBasePriorityPrivilege 1440 conhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1440 1988 1phc1YJN.exe 28 PID 1988 wrote to memory of 1440 1988 1phc1YJN.exe 28 PID 1988 wrote to memory of 1440 1988 1phc1YJN.exe 28 PID 1988 wrote to memory of 1440 1988 1phc1YJN.exe 28 PID 1440 wrote to memory of 268 1440 conhost.exe 29 PID 1440 wrote to memory of 268 1440 conhost.exe 29 PID 1440 wrote to memory of 268 1440 conhost.exe 29 PID 1440 wrote to memory of 268 1440 conhost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1phc1YJN.exe"C:\Users\Admin\AppData\Local\Temp\1phc1YJN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Roaming\conhost.exe"C:\Users\Admin\AppData\Roaming\conhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\conhost.exe" "conhost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:268
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a87b5397a2736773782f50e108b2da4.exe
Filesize37KB
MD5fb0bdd758f8a9f405e6af2358da06ae1
SHA16c283ab5e49e6fe3a93a996f850a5639fc49e3f5
SHA2569da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf
SHA51271d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253
-
Filesize
37KB
MD5fb0bdd758f8a9f405e6af2358da06ae1
SHA16c283ab5e49e6fe3a93a996f850a5639fc49e3f5
SHA2569da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf
SHA51271d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253
-
Filesize
37KB
MD5fb0bdd758f8a9f405e6af2358da06ae1
SHA16c283ab5e49e6fe3a93a996f850a5639fc49e3f5
SHA2569da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf
SHA51271d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253
-
Filesize
37KB
MD5fb0bdd758f8a9f405e6af2358da06ae1
SHA16c283ab5e49e6fe3a93a996f850a5639fc49e3f5
SHA2569da4778fce03b654f62009b3d88958213f139b2f35fe1bed438100fae35bdfbf
SHA51271d3bd1c621a93bc54f1104285da5bf8e59bc26c3055cf708f61070c1a80ee705c33efd4a05acf3d3a90a9d9fca0357c66894dcb5045ab38b27834ff56c06253