Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 20:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
49bf33f0b08d37da284f8639c1f00055.exe
Resource
win7-20231215-en
7 signatures
150 seconds
General
-
Target
49bf33f0b08d37da284f8639c1f00055.exe
-
Size
40KB
-
MD5
49bf33f0b08d37da284f8639c1f00055
-
SHA1
3695046661213ba96b279bea83aabde19ec1a03f
-
SHA256
50c4981ce9e9bf59c4618e173962dba774131dcbd0822ea2a7126ecf4856b194
-
SHA512
53999c4ea4852bdfce596624b5fce5df1ede2435399cefb0845d23e3c84c1ad284e62e31abf0119efdb9d829fe03123d5eb16132eaa729731a98e5d86c1313db
-
SSDEEP
192:/TBBdaStRucohNosFOX0GPGJnelDwyX9rUX:/TjMFhNosYHGJUDwyXRUX
Malware Config
Extracted
Family
njrat
Version
0.7d
Botnet
jaja
C2
127.0.0.1:442
Mutex
74caf6ac20895d0081b0f902a5e18339
Attributes
-
reg_key
74caf6ac20895d0081b0f902a5e18339
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3004 netsh.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2164 set thread context of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2164 49bf33f0b08d37da284f8639c1f00055.exe 2164 49bf33f0b08d37da284f8639c1f00055.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 2164 49bf33f0b08d37da284f8639c1f00055.exe Token: SeDebugPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe Token: 33 2924 aspnet_compiler.exe Token: SeIncBasePriorityPrivilege 2924 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2164 49bf33f0b08d37da284f8639c1f00055.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2164 wrote to memory of 2716 2164 49bf33f0b08d37da284f8639c1f00055.exe 29 PID 2164 wrote to memory of 2716 2164 49bf33f0b08d37da284f8639c1f00055.exe 29 PID 2164 wrote to memory of 2716 2164 49bf33f0b08d37da284f8639c1f00055.exe 29 PID 2164 wrote to memory of 2716 2164 49bf33f0b08d37da284f8639c1f00055.exe 29 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2164 wrote to memory of 2924 2164 49bf33f0b08d37da284f8639c1f00055.exe 30 PID 2924 wrote to memory of 3004 2924 aspnet_compiler.exe 33 PID 2924 wrote to memory of 3004 2924 aspnet_compiler.exe 33 PID 2924 wrote to memory of 3004 2924 aspnet_compiler.exe 33 PID 2924 wrote to memory of 3004 2924 aspnet_compiler.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\49bf33f0b08d37da284f8639c1f00055.exe"C:\Users\Admin\AppData\Local\Temp\49bf33f0b08d37da284f8639c1f00055.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵PID:2716
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3004
-
-