Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
210s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
29/06/2023, 21:30
General
-
Target
drweb.exe
-
Size
151KB
-
MD5
db5fa6ff80870f8041e0b31b00c43575
-
SHA1
aa22dd900a62ce990080bd848567ba8239c397dc
-
SHA256
59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406
-
SHA512
92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7
-
SSDEEP
3072:0Oj3YL2p+yJgNAjVd1nut+uV2mTVDjFwkWl176jZ1hCagdgvPW:L3YLfOVdRQ/vqkg1gEagdgH
Malware Config
Extracted
njrat
im523
HacKed
127.0.0.1:5552
08022291fe871213f172041da3b6ef33
-
reg_key
08022291fe871213f172041da3b6ef33
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2036 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2032 bootlog.exe -
Loads dropped DLL 1 IoCs
pid Process 2028 drweb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe 2032 bootlog.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2032 bootlog.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2032 bootlog.exe Token: 33 1524 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1524 AUDIODG.EXE Token: 33 1524 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1524 AUDIODG.EXE Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe Token: 33 2032 bootlog.exe Token: SeIncBasePriorityPrivilege 2032 bootlog.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2032 2028 drweb.exe 27 PID 2028 wrote to memory of 2032 2028 drweb.exe 27 PID 2028 wrote to memory of 2032 2028 drweb.exe 27 PID 2028 wrote to memory of 2032 2028 drweb.exe 27 PID 2032 wrote to memory of 2036 2032 bootlog.exe 28 PID 2032 wrote to memory of 2036 2032 bootlog.exe 28 PID 2032 wrote to memory of 2036 2032 bootlog.exe 28 PID 2032 wrote to memory of 2036 2032 bootlog.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\drweb.exe"C:\Users\Admin\AppData\Local\Temp\drweb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\bootlog.exe"C:\Users\Admin\AppData\Local\Temp\bootlog.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bootlog.exe" "bootlog.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2036
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:824
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5541⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5db5fa6ff80870f8041e0b31b00c43575
SHA1aa22dd900a62ce990080bd848567ba8239c397dc
SHA25659b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406
SHA51292bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7
-
Filesize
151KB
MD5db5fa6ff80870f8041e0b31b00c43575
SHA1aa22dd900a62ce990080bd848567ba8239c397dc
SHA25659b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406
SHA51292bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7
-
Filesize
151KB
MD5db5fa6ff80870f8041e0b31b00c43575
SHA1aa22dd900a62ce990080bd848567ba8239c397dc
SHA25659b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406
SHA51292bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7