Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1564s -
max time network
1567s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17/01/2024, 12:34
Behavioral task
behavioral1
Sample
SERVER.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SERVER.exe
Resource
android-x86-arm-20231215-en
General
-
Target
SERVER.exe
-
Size
43KB
-
MD5
f8a35dfdebb9b6ee5f1ea10a4a492bfb
-
SHA1
eefc78908390cb6ef9604dd5649a167f254f8da7
-
SHA256
08d4585a7c6f6f1734b0d69ac75373b3d5c346489645cfe6257ebe4a408f522b
-
SHA512
b1bc6cbeae3a89227c4c8733fa6601720986babff129883b32a298b87fa9fb63f84f3a4d0cd45056e10f656357b4057cec4f5a29f0e6202d749d47a44dc1c329
-
SSDEEP
384:0Zy6vHn1iDcsyEqtBfkEGCOEhGyOEtzcIij+ZsNO3PlpJKkkjh/TzF7pWnVY/gra:C9HnU4pEqtNkE5SyZuXQ/o0Y3+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
5.251.209.159:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 35 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 94003100000000008f577384110050524f4752417e3200007c0008000400efbeee3a851a8f5773842a00000011010000000001000000000000000000520000000000500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2480 SERVER.exe 2732 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2736 rundll32.exe 2736 rundll32.exe 2736 rundll32.exe 2732 AcroRd32.exe 2732 AcroRd32.exe 2732 AcroRd32.exe 2732 AcroRd32.exe 2732 AcroRd32.exe 2732 AcroRd32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2736 2480 SERVER.exe 28 PID 2480 wrote to memory of 2736 2480 SERVER.exe 28 PID 2480 wrote to memory of 2736 2480 SERVER.exe 28 PID 2480 wrote to memory of 2736 2480 SERVER.exe 28 PID 2480 wrote to memory of 2736 2480 SERVER.exe 28 PID 2480 wrote to memory of 2736 2480 SERVER.exe 28 PID 2480 wrote to memory of 2736 2480 SERVER.exe 28 PID 2736 wrote to memory of 2732 2736 rundll32.exe 29 PID 2736 wrote to memory of 2732 2736 rundll32.exe 29 PID 2736 wrote to memory of 2732 2736 rundll32.exe 29 PID 2736 wrote to memory of 2732 2736 rundll32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\SERVER.exe"C:\Users\Admin\AppData\Local\Temp\SERVER.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Svhost2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Svhost"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5f8a35dfdebb9b6ee5f1ea10a4a492bfb
SHA1eefc78908390cb6ef9604dd5649a167f254f8da7
SHA25608d4585a7c6f6f1734b0d69ac75373b3d5c346489645cfe6257ebe4a408f522b
SHA512b1bc6cbeae3a89227c4c8733fa6601720986babff129883b32a298b87fa9fb63f84f3a4d0cd45056e10f656357b4057cec4f5a29f0e6202d749d47a44dc1c329
-
Filesize
3KB
MD5a9a0a238eacf93892adbf8fbdb6a2eb9
SHA13587c3c41c4c312479167cd97afe15dac1724d2c
SHA256b98d0d7926bfd574dae347c415e5b7f82a027d0ae169e66cf6b3d74c98dfd727
SHA512a3f4b9a269f96c96f3029e81964b4dc0aac7b0ce75ea31d4af38b8d98f4caf25356c36e46fc2275c50298af97215fe189ab5c7b338aa2e2538781aabf739ed44
-
Filesize
230KB
MD53a0bc6c0c7e8850d487e16249e95982c
SHA11949c6d10746dead907ecd20c715e07d22486dd5
SHA2565fa4e8e78d8d5bf1029bcc12c18255cedee0763558147f6a32ab4df515d5347a
SHA51260c6974c86bdfe5f215cda2079fa7bc7930184dcaae740644572d1bed896296bd1aeb9b2b1d0cddc7dae6e0b1d8b1b75f4d05a6fca8a54ee3f91bd448556bea5
-
Filesize
276KB
MD5049243b39f5292eb7bcb814c6aa54d25
SHA1a6d47f2a6c16c82db4f885624d3a2e103a3b3b84
SHA256a77f7c88c26cc44fd5b06c20bed137e2516b0311e3e2b9bb8efa55f2826e1a0f
SHA51282c7583a83b148a19517455cb1acd4457e4d31b49465de07d10fc5f28cb957b9ccd7d37cfea91c328822c8c0c708673db8e7013af69d944fe39ffbcdd88ee642
-
Filesize
184KB
MD5ea79d3bc3f53a1a177df3788f3187407
SHA14fe46913882b24a734eb7777d9354709125b2796
SHA2562b7662cdec5dabe86f5cca5c4976bece52528e6ff5a281a3251c06aafffdc84d
SHA512b7da6887fc150ab8087837fb8de0a056b846f38fc738f72d18ef82c4a21204de7ce24eef2d9895b911c08f9cc92cc24f7da379b444d49edb0ebdc77f6c876fe0
-
Filesize
337KB
MD509bc3fd7369269e606e6d230468c2c56
SHA140b030d34d1c2f31c60357204ef96826d9700240
SHA2566319ed841f28b79b82835b8d263c7e2d22a735da16a31b7acb5fa975ba965a61
SHA512b9a6bad60415af48d88460326e493a84df7d05056f197bdc7baf54658d05a29bfa9cc83d9b0c7f39a6792016f9a56786a3416be9afba3d255e2dbe974b64ed39
-
Filesize
430KB
MD579cc691ba34f25eb9c38879947d785e2
SHA1789ca8b1927c9602d2b17461c70478b4ea52b806
SHA256d77d478b8d08f6a5a83006c4be2fe5108f5cccb94f4fde376447666074228858
SHA512a367623c6f6d4c93f35b83c59b9f42471fb8f81668e5daca40e8fabe568b7e53c380f812f31083c2d8ed6435af40c3ea790e0fbe7cabbc7a5450cc972024923e
-
Filesize
215KB
MD5a6aa4d1643e99e1e621a9abb3e5e8d80
SHA1e5eb28142c06a366db7a74e1592237856fe1d08b
SHA256f899771422fcc981b06260af7c6262ade399cc26a7d53f882a9ed00a9f0abc50
SHA51297e59a9215f8cf57a4eeee8a83d3d889cc373a8a07e7e8b20aeaf61f2fc162fe5074f2a4ed988c5c38fa387fba9a4386a126627f020f16519602351b02232510
-
Filesize
598KB
MD5eb2e8ed910e87dc82097b6f928d15549
SHA1738af4cadc821644b484df27ee12e4c0ec13891b
SHA25683164374797c8108e94cff0aff9adf30c2a955ecf69fcd8e30b7aea1190f7762
SHA512ad9559bba1f06994513ae2a5d5ec26cae0e8bbbf03b55b2fb587cb7951c186db436b320042e59cb919fd07e793c658c282be12230f3acbcbc48474685ff03f10
-
Filesize
322KB
MD56bb2e7bf7f5a045851c08caeb9e9855b
SHA1170b39532fe5b528da33674bb2070376986527e3
SHA2569b482ff6d06483950f223923168885f77959da3053998c09fad6c49c823a81fc
SHA5123f86f5e0fa86110185a37043cdbc0f9dd88e8d44a97b5bd40114abd4532985ad4d6f482f8897a787fcf42bd4831663937b3b53c47e9ca6942112cc5dc0374347
-
Filesize
291KB
MD5b5f2f6b198e8d977bd461b98b4184971
SHA18f3c307184c00977d50b36bd4a56f85c2dd29dd8
SHA256715d8cad11e4f33f3fbab05fc7cc1c99277f65a503e389c10ff33a6831632fa3
SHA5128eee7cee9f8db26996356a73453f8a0c3387ee6b30981ac07305c73450682daabaa98a9622d75b7e791967e0ee2b60845e66b1100dc6376ba262f1a9b7efa731
-
Filesize
199KB
MD566af4bdf67a7b1188c7f49b07860c611
SHA13bb9c1395a5493b23133a7d6b1953e6614423c6e
SHA2566e15edbd504b4c4ecc76a7d21837a1638d3953875839e3147d94811828bf2d86
SHA51266cf72f894ca19f0b6b3796a99bdb8bffe64a102c8a6fdf0bcf4dc8e4824438f4421ae86bb1d7c6ea8dfe0877d8b53fee69e20fa2f3c069a3ef27cec6e76ec12
-
Filesize
261KB
MD5d124b1baec8849b95a171e4aaf7c401f
SHA1a1af2f03a9ca98db9c65267cab8d8f8e93c298f9
SHA256d6ab7c9519aed1f9659c93d3b925158da0943bbdf8cb51ab04d1b1cb56391deb
SHA512271cc7343c65104ca1fe55abcddf3e2737c8261e39e73a4b0b15c72a8c0018fc5ec890b83467d0db16d6dd3773b419c3a4cb8125a395f71c1cfbf0317079ca9b
-
Filesize
245KB
MD5077b730d223b97c23ea2919d0f7c6eea
SHA1bb9fc7c534e832f99b7d6352b50c708134ee5067
SHA256caa90abe0fd75f60b4b429ca9c88cc7027682d1948f94f7f13a1ae15adb80c74
SHA51203eaa2ff47ff23979662fa066b71a2d9f8122116a588f795fd55c07eb0fac01dc8b85dd2d81265227179260d6db6302161b26ccabcd3b07cff0533c2303956b1
-
Filesize
399KB
MD532e0da5f60b7739432ba9bfa3da35834
SHA1894760669e2c538485b4a0af6dc8a2e324d4931a
SHA25668383190dcdbe352008bb047e48741f1b6000d8a0a6eb0464b9af7135664f8ab
SHA51251d6f3a09185ab61fa3c3a2bdd221e41522d14a6182be748e0416b6b28ba363ec39e6b29906eb1c836507b318f60c195b5decdeafca7294f2a79666f0094ed8d
-
Filesize
168KB
MD5fd49fb6f75a88ca5f76e9982d413bcb8
SHA184f2136c32227b1e4e1098c21e95ba2e1f05b158
SHA256b5e398506afcd359f99f5e6c2e40329d3c189acf7c7c86d3809039b726a820d5
SHA51266651f956c9a49c453e9b1e3baa7bb15a7130c3dd560dd63cbe78bd960d40c6f0efd8440afadd40ce3654f345ce247aeb50f4e562ed8d99b0315113cd342c491
-
Filesize
153KB
MD5f3f65912b163644168755633b632c319
SHA1abba8631f54ab649beeb27cd33c6b09f07273fd7
SHA2562c0621d1c7e698f54fcc3f057616e3c9d952ccd2df8d12d752e9bc32e8bbe72e
SHA5128c064011edaf6bf2d33b757f561ac45eef8baeea92472eae2cc8d63e7782e14ceb3171143070e64d244e4d1f13b6c88828bf69707176defd5ff55e6894abeb01
-
Filesize
414KB
MD58769e43d17dc551f0f4f9f03fcc19e88
SHA179aa06fe6a291bee16a50958ddbb731c9b3c25b1
SHA2567bffd86938b43892d0aee9d1981c6b5336b80cf33a6b7e9fabfbce43bc8c61b7
SHA512cc4eae491f1d9db1ad6a1983c78ca308b467b4f81ed99d8155ac06af8ca7084f47c020b0f2feccf275ca6faaf7648bcbbde3ab2d4cf4bcc28db668d702f0f912
-
Filesize
368KB
MD5276164dc0d0c505115d3746e4a927990
SHA147e301c44c9f1ea190e99764c7b4b0b967a0098d
SHA256b1f69a3274140cb430b57b735cd9a590269b4189981c86c27d0a870ce2263e10
SHA51251d5961d09645dd52d4814f9fffc33dc948b3fa2b95251a9004b0cfb5672be0c10e0d5cf0d8751cdbb6beff5e24a6ccc3e17d138dcdc2304337e12711e5b570c
-
Filesize
384KB
MD5042e9ce452235a87892900b33fd1e74c
SHA101d2e091dedae27afc87f7c66202eab72601aec3
SHA2567c468d1d98c595d58914ee7149185050edcc5878a1f29ad33759f7eaf15e47f9
SHA5124ae29c058454b782b11768ea3c1f0e63e161aae64b4928297097066bc06200853d86bf01d2959acdbf6d1f047306f0928ba3a3476b1585e514787ac340c97bc4
-
Filesize
353KB
MD5530460d7bcb7fe55f4d3fb1f2ea8f57d
SHA156615209ffc730784e924a0a027154b7cce4f54e
SHA25600aa0f6e9b051b732d7f9b7c81cae180055c38c9efc75ec3813deb1ac9274a7f
SHA5124371d43bf62652c277e141ed1ad417e11c7205b8a2745d21b053be1363c13acf50dd8ef54e66d22d380161aad5b3d777d901a6793fdb690123eced259bebe168