Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
30/06/2023, 10:56
Behavioral task
behavioral1
Sample
dobro.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
dobro.exe
Resource
win10v2004-20230621-en
General
-
Target
dobro.exe
-
Size
151KB
-
MD5
a443234e456bbc4a78605ab336e7d7f6
-
SHA1
3ce499b7866a684755ae6b38980438719bff784b
-
SHA256
723d4e16788b240cd61087fe9b70d3f6e60117d0b7af0e242457a77541e277ce
-
SHA512
4fdfb874d9db98058709ce72bb7ca8b9dad2307f168ee2aae225ecc26fec33f5c41ceaa67d61ad6617181ccb85a237283e75cb6f43a74051155ec8c0d7fdbcd1
-
SSDEEP
3072:klgjq8s+yJueAjVd1nut+uV2mTVDjFwkWl176jZ1hCagdgvPW:WgjqARVdRQ/vqkg1gEagdgH
Malware Config
Extracted
njrat
im523
HacKed_CrosSs
5.101.21.20:1555
4742a84879c01b0661392ad95615a345
-
reg_key
4742a84879c01b0661392ad95615a345
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 568 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 1704 spoolsv.exe -
Loads dropped DLL 1 IoCs
pid Process 1956 dobro.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 672 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1704 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 672 taskkill.exe Token: SeDebugPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe Token: 33 1704 spoolsv.exe Token: SeIncBasePriorityPrivilege 1704 spoolsv.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1956 wrote to memory of 1704 1956 dobro.exe 27 PID 1956 wrote to memory of 1704 1956 dobro.exe 27 PID 1956 wrote to memory of 1704 1956 dobro.exe 27 PID 1956 wrote to memory of 1704 1956 dobro.exe 27 PID 1704 wrote to memory of 568 1704 spoolsv.exe 28 PID 1704 wrote to memory of 568 1704 spoolsv.exe 28 PID 1704 wrote to memory of 568 1704 spoolsv.exe 28 PID 1704 wrote to memory of 568 1704 spoolsv.exe 28 PID 1704 wrote to memory of 672 1704 spoolsv.exe 29 PID 1704 wrote to memory of 672 1704 spoolsv.exe 29 PID 1704 wrote to memory of 672 1704 spoolsv.exe 29 PID 1704 wrote to memory of 672 1704 spoolsv.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\dobro.exe"C:\Users\Admin\AppData\Local\Temp\dobro.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\spoolsv.exe" "spoolsv.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5a443234e456bbc4a78605ab336e7d7f6
SHA13ce499b7866a684755ae6b38980438719bff784b
SHA256723d4e16788b240cd61087fe9b70d3f6e60117d0b7af0e242457a77541e277ce
SHA5124fdfb874d9db98058709ce72bb7ca8b9dad2307f168ee2aae225ecc26fec33f5c41ceaa67d61ad6617181ccb85a237283e75cb6f43a74051155ec8c0d7fdbcd1
-
Filesize
151KB
MD5a443234e456bbc4a78605ab336e7d7f6
SHA13ce499b7866a684755ae6b38980438719bff784b
SHA256723d4e16788b240cd61087fe9b70d3f6e60117d0b7af0e242457a77541e277ce
SHA5124fdfb874d9db98058709ce72bb7ca8b9dad2307f168ee2aae225ecc26fec33f5c41ceaa67d61ad6617181ccb85a237283e75cb6f43a74051155ec8c0d7fdbcd1
-
Filesize
151KB
MD5a443234e456bbc4a78605ab336e7d7f6
SHA13ce499b7866a684755ae6b38980438719bff784b
SHA256723d4e16788b240cd61087fe9b70d3f6e60117d0b7af0e242457a77541e277ce
SHA5124fdfb874d9db98058709ce72bb7ca8b9dad2307f168ee2aae225ecc26fec33f5c41ceaa67d61ad6617181ccb85a237283e75cb6f43a74051155ec8c0d7fdbcd1