Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2024, 13:28
Behavioral task
behavioral1
Sample
Payload2024.exe
Resource
win10v2004-20231222-en
General
-
Target
Payload2024.exe
-
Size
27KB
-
MD5
248679d7c4c333b7b2fef2c0f092327b
-
SHA1
d5b18fa3fd68935ab01b25db2813250b9d121dbd
-
SHA256
239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756
-
SHA512
27efe089952678727053fffcfe4212d330f55ec5a3eee0f7122a9deeff3dee92600db2f3238ae1d11da1d6d8e0a9bc1e48c02b9b8a71ee3129eff5d11ac06dc9
-
SSDEEP
384:0LUl2J1dJFKnO4YLJ5zeZsL4E7O4/ChZGPjdx4kM0AQk93vmhm7UMKmIEecKdbXi:ipJFPleeHU0A/vMHTi9bD
Malware Config
Extracted
njrat
v4.0
HacKed
soon-lp.at.ply.gg:17209
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation Payload2024.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload2024.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2956 Payload.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" Payload2024.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 2956 Payload.exe Token: 33 2956 Payload.exe Token: SeIncBasePriorityPrivilege 2956 Payload.exe Token: 33 2956 Payload.exe Token: SeIncBasePriorityPrivilege 2956 Payload.exe Token: 33 2956 Payload.exe Token: SeIncBasePriorityPrivilege 2956 Payload.exe Token: 33 2956 Payload.exe Token: SeIncBasePriorityPrivilege 2956 Payload.exe Token: 33 2956 Payload.exe Token: SeIncBasePriorityPrivilege 2956 Payload.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2956 1408 Payload2024.exe 98 PID 1408 wrote to memory of 2956 1408 Payload2024.exe 98 PID 1408 wrote to memory of 2956 1408 Payload2024.exe 98 PID 1408 wrote to memory of 2568 1408 Payload2024.exe 99 PID 1408 wrote to memory of 2568 1408 Payload2024.exe 99 PID 1408 wrote to memory of 2568 1408 Payload2024.exe 99 PID 2956 wrote to memory of 4380 2956 Payload.exe 102 PID 2956 wrote to memory of 4380 2956 Payload.exe 102 PID 2956 wrote to memory of 4380 2956 Payload.exe 102 PID 2956 wrote to memory of 4488 2956 Payload.exe 103 PID 2956 wrote to memory of 4488 2956 Payload.exe 103 PID 2956 wrote to memory of 4488 2956 Payload.exe 103 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2568 attrib.exe 4380 attrib.exe 4488 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
PID:4380
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
PID:4488
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Views/modifies file attributes
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51cf416d26fcaa9ac44cde97b4071c2c1
SHA12f49d770b79359232d9b8ad9609bcab9bc8489a1
SHA256298bf368286c7dfa7b8cd2774d93811fea422c38b37b79c4049fb38fbfa49da0
SHA512d4a92f2051d7bb5ec5dfd5cce038202cab2a75fad83238c914ce0e1d4db66b36bd2b8302451035e6e9cbf8160965e180f91af0ffea9772c28e0a4aa9a4171bcf
-
Filesize
1KB
MD5b565b6f7a706fa0e6f1a618d53af840a
SHA1a2dcefc8f9bf6ffc89c3e9dba9ba582a4dc0c47f
SHA256e2be89378f1677a386e8641949f4af149db4947d04ff320e256a5c0b39d683cb
SHA51211755649cf70808de39fd6f3a20559feebad8e7344bbd5c10de0d285ded97d8570c9e01b2834eb80c6e3179abc6bec2d9bbd4dc4e24dd94fb981fd6c9caf28fe
-
Filesize
27KB
MD5248679d7c4c333b7b2fef2c0f092327b
SHA1d5b18fa3fd68935ab01b25db2813250b9d121dbd
SHA256239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756
SHA51227efe089952678727053fffcfe4212d330f55ec5a3eee0f7122a9deeff3dee92600db2f3238ae1d11da1d6d8e0a9bc1e48c02b9b8a71ee3129eff5d11ac06dc9