Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
299s -
max time network
300s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17/01/2024, 13:33
Behavioral task
behavioral1
Sample
Payload2024.exe
Resource
win10v2004-20231215-en
General
-
Target
Payload2024.exe
-
Size
27KB
-
MD5
248679d7c4c333b7b2fef2c0f092327b
-
SHA1
d5b18fa3fd68935ab01b25db2813250b9d121dbd
-
SHA256
239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756
-
SHA512
27efe089952678727053fffcfe4212d330f55ec5a3eee0f7122a9deeff3dee92600db2f3238ae1d11da1d6d8e0a9bc1e48c02b9b8a71ee3129eff5d11ac06dc9
-
SSDEEP
384:0LUl2J1dJFKnO4YLJ5zeZsL4E7O4/ChZGPjdx4kM0AQk93vmhm7UMKmIEecKdbXi:ipJFPleeHU0A/vMHTi9bD
Malware Config
Extracted
njrat
v4.0
HacKed
soon-lp.at.ply.gg:17209
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation Payload.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation Payload2024.exe -
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Louked.exe tmp6CA0.tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Louked.exe tmp6CA0.tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload2024.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 2 IoCs
pid Process 4416 Payload.exe 2284 tmp6CA0.tmp.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe" Payload2024.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe Token: SeIncBasePriorityPrivilege 4416 Payload.exe Token: 33 4416 Payload.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1224 wrote to memory of 4416 1224 Payload2024.exe 94 PID 1224 wrote to memory of 4416 1224 Payload2024.exe 94 PID 1224 wrote to memory of 4416 1224 Payload2024.exe 94 PID 1224 wrote to memory of 920 1224 Payload2024.exe 93 PID 1224 wrote to memory of 920 1224 Payload2024.exe 93 PID 1224 wrote to memory of 920 1224 Payload2024.exe 93 PID 4416 wrote to memory of 2404 4416 Payload.exe 99 PID 4416 wrote to memory of 2404 4416 Payload.exe 99 PID 4416 wrote to memory of 2404 4416 Payload.exe 99 PID 4416 wrote to memory of 2836 4416 Payload.exe 98 PID 4416 wrote to memory of 2836 4416 Payload.exe 98 PID 4416 wrote to memory of 2836 4416 Payload.exe 98 PID 4416 wrote to memory of 2284 4416 Payload.exe 103 PID 4416 wrote to memory of 2284 4416 Payload.exe 103 PID 4416 wrote to memory of 2284 4416 Payload.exe 103 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 920 attrib.exe 2836 attrib.exe 2404 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Views/modifies file attributes
PID:920
-
-
C:\Users\Admin\AppData\Roaming\Payload.exe"C:\Users\Admin\AppData\Roaming\Payload.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
PID:2836
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp6CA0.tmp.exe"3⤵
- Drops startup file
- Executes dropped EXE
PID:2284
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5049f20e676c2d8483999cb3111f0debe
SHA1918c02726d22ef390b304ca20057310eefd4d17f
SHA256a2e9a44495e4c8740b74371a8a3499e2ee75cce06512eb3b7c3d2e04be8b7a76
SHA51270b9cae76b3816e3b578558278eba82e05986ac7be07dec190789d9d227125ad69a3f1eb3b5673bf643a4a0e7e3aa65308bbe2bc284693b9514f74b6708fe004
-
Filesize
1KB
MD5603069b2b1beac54d0f7ce4019810f04
SHA1333300497fe640e8bec729e54c22c050f9f15282
SHA2561fac9bc75c529d9c7b73b630642c2ae31ebbe983a2dc7a68ef6e50cc1d9cb622
SHA5124033744b5211593645edaeaac09e24614783bdac0468d872ee5104eb42cb06850b98403b32aff1bd373d01f8cdcd8c4d5c102b4d532ba38cb4ede71b4d581047
-
Filesize
1KB
MD597024cf693e19efbc26b5fa4986f6f29
SHA1d4d0868afa1b76790b0440af30a245ac12cead9d
SHA256959567471c08b8a526d6a200c60eec296c1860919d8442c4f5fb555af06cc67f
SHA5127cda443def3fdd8c7423c4cc5cc3085c31e8e93995fd89ddb6a3ff36f03b918f727f06bc4006439ed38bdf45c9d0de8e1478a59d46ca4abef06856e6cde86ac9
-
Filesize
27KB
MD5248679d7c4c333b7b2fef2c0f092327b
SHA1d5b18fa3fd68935ab01b25db2813250b9d121dbd
SHA256239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756
SHA51227efe089952678727053fffcfe4212d330f55ec5a3eee0f7122a9deeff3dee92600db2f3238ae1d11da1d6d8e0a9bc1e48c02b9b8a71ee3129eff5d11ac06dc9