Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
101s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 17:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
01ab435feaef006adef71503c8c45186.exe
Resource
win7-20231215-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
01ab435feaef006adef71503c8c45186.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
01ab435feaef006adef71503c8c45186.exe
-
Size
48KB
-
MD5
01ab435feaef006adef71503c8c45186
-
SHA1
b8323754af1f8c640046b058760aac1f9f72d937
-
SHA256
b506504cfe3cc382536afd2fe8418e665a823ac5f084ffca6c2c7730c565cfd6
-
SHA512
3abd6ff3798710dced1b60ae152adfa8fbf2616f1c681caea823df80dbf95f03ac9b06b5d0bcaa688a614c14a7814beb06f960eff1b9e5fa0b2e3bf5f33b87a8
-
SSDEEP
768:xJNEhmygKOyEv+6wH9H7MfygXaDMFQXD7e:xJamgOh6NNDsQXD7
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" njsij.exe -
Executes dropped EXE 1 IoCs
pid Process 2552 njsij.exe -
Loads dropped DLL 2 IoCs
pid Process 2704 01ab435feaef006adef71503c8c45186.exe 2704 01ab435feaef006adef71503c8c45186.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\njsij = "C:\\Users\\Admin\\njsij.exe" njsij.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe 2552 njsij.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2704 01ab435feaef006adef71503c8c45186.exe 2552 njsij.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2552 2704 01ab435feaef006adef71503c8c45186.exe 30 PID 2704 wrote to memory of 2552 2704 01ab435feaef006adef71503c8c45186.exe 30 PID 2704 wrote to memory of 2552 2704 01ab435feaef006adef71503c8c45186.exe 30 PID 2704 wrote to memory of 2552 2704 01ab435feaef006adef71503c8c45186.exe 30 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16 PID 2552 wrote to memory of 2704 2552 njsij.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ab435feaef006adef71503c8c45186.exe"C:\Users\Admin\AppData\Local\Temp\01ab435feaef006adef71503c8c45186.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\njsij.exe"C:\Users\Admin\njsij.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD54257f00035a37a956517c5cf182008d0
SHA19344f9bdb56414811d5d543210a68b3cd5d04992
SHA2567f05632f468325d210456cad180d73a645cb86059533eb2a166964c62f8acfa2
SHA5123d0cde76d93005f8a49bd75f22b5b9b5dd283e7ef354452b211615f4764ba32e0ed019ef5d287ae35d5dd059fb3dc52a9f1ab354476090895c22b31435c19f41