Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 20:44
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20231215-en
General
-
Target
Server.exe
-
Size
37KB
-
MD5
a1d98613743877e6909e48a7ef961f03
-
SHA1
d5060ec77aa7b90457fb4e0bcf13ed6d15be9f50
-
SHA256
68887219835e5a239f80790898cce4fa77ad3551bb131b71ebe7dc01303be047
-
SHA512
4d3039abe72a4617ba6b8c0ad2810e8448e21b8424abd7d798a5dd396e4bc3d18ee4b0a6379cdd122b4c9ecdec7812a266a15fad233ac39bded4c8091f4576f3
-
SSDEEP
384:u8GBkiyRnDNGRn5IyUvoIdf1bg/SuswxrAF+rMRTyN/0L+EcoinblneHQM3epzXO:RZ5M5jUvtdOaufxrM+rMRa8NuMjlt
Malware Config
Extracted
njrat
im523
noob
127.0.0.1:5552
df4f4145ee2e48990df7a94a2e0f3561
-
reg_key
df4f4145ee2e48990df7a94a2e0f3561
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2688 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df4f4145ee2e48990df7a94a2e0f3561.exe FortniteHacks.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\df4f4145ee2e48990df7a94a2e0f3561.exe FortniteHacks.exe -
Executes dropped EXE 1 IoCs
pid Process 2676 FortniteHacks.exe -
Loads dropped DLL 1 IoCs
pid Process 2172 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\df4f4145ee2e48990df7a94a2e0f3561 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FortniteHacks.exe\" .." FortniteHacks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\df4f4145ee2e48990df7a94a2e0f3561 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FortniteHacks.exe\" .." FortniteHacks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe 2676 FortniteHacks.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2676 FortniteHacks.exe 1092 msconfig.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: SeDebugPrivilege 2748 taskmgr.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe Token: 33 2676 FortniteHacks.exe Token: SeIncBasePriorityPrivilege 2676 FortniteHacks.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe -
Suspicious use of SendNotifyMessage 31 IoCs
pid Process 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe 2748 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1092 msconfig.exe 1092 msconfig.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2676 2172 Server.exe 28 PID 2172 wrote to memory of 2676 2172 Server.exe 28 PID 2172 wrote to memory of 2676 2172 Server.exe 28 PID 2172 wrote to memory of 2676 2172 Server.exe 28 PID 2676 wrote to memory of 2688 2676 FortniteHacks.exe 29 PID 2676 wrote to memory of 2688 2676 FortniteHacks.exe 29 PID 2676 wrote to memory of 2688 2676 FortniteHacks.exe 29 PID 2676 wrote to memory of 2688 2676 FortniteHacks.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\FortniteHacks.exe"C:\Users\Admin\AppData\Local\Temp\FortniteHacks.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\FortniteHacks.exe" "FortniteHacks.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2688
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748
-
C:\Windows\system32\msconfig.exe"C:\Windows\system32\msconfig.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1092
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5a1d98613743877e6909e48a7ef961f03
SHA1d5060ec77aa7b90457fb4e0bcf13ed6d15be9f50
SHA25668887219835e5a239f80790898cce4fa77ad3551bb131b71ebe7dc01303be047
SHA5124d3039abe72a4617ba6b8c0ad2810e8448e21b8424abd7d798a5dd396e4bc3d18ee4b0a6379cdd122b4c9ecdec7812a266a15fad233ac39bded4c8091f4576f3