Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17/01/2024, 18:10
Behavioral task
behavioral1
Sample
start.exe
Resource
win7-20231129-en
General
-
Target
start.exe
-
Size
93KB
-
MD5
937286297fbc003e6a69fdc0f02ce8b0
-
SHA1
2ebd595bbb357264649f17f8b066941f05befefb
-
SHA256
35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
-
SHA512
9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4
-
SSDEEP
1536:t8NBNvGfr2p4dTc/hDjEwzGi1dDmD4gS:t8Yfr2p4dI/Gi1dwh
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
dead-reviewer.gl.at.ply.gg:60161
60742add55fe12a61a5fe6a3cf32e5c0
-
reg_key
60742add55fe12a61a5fe6a3cf32e5c0
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2612 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2560 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2996 start.exe 2996 start.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe 2560 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2560 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe Token: 33 2560 server.exe Token: SeIncBasePriorityPrivilege 2560 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2996 wrote to memory of 2560 2996 start.exe 28 PID 2996 wrote to memory of 2560 2996 start.exe 28 PID 2996 wrote to memory of 2560 2996 start.exe 28 PID 2996 wrote to memory of 2560 2996 start.exe 28 PID 2560 wrote to memory of 2612 2560 server.exe 29 PID 2560 wrote to memory of 2612 2560 server.exe 29 PID 2560 wrote to memory of 2612 2560 server.exe 29 PID 2560 wrote to memory of 2612 2560 server.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5894fb42e2eb6e43158ff6e5d7458e010
SHA1f2738a56c022985c2e64cde59cb2124d3b71e58b
SHA256b348604355c49691b1e6c418c85ac46bb503069bdc995bbd0b9bc36986c85f5b
SHA512cc63bb26652d876e47ea5dcbfa37fdd6e1c90d791b7ed93863058b2fd93879b8292f132a17fe0ff7eb8464868d7c05f73a548a0b22151eeb660554709fb7346c
-
Filesize
93KB
MD5937286297fbc003e6a69fdc0f02ce8b0
SHA12ebd595bbb357264649f17f8b066941f05befefb
SHA25635b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
SHA5129c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4
-
Filesize
90KB
MD57ebb9bb5335f2acdec954fa52a5337fa
SHA1a61ffdb339dd076ceb51fa8aba498d4b6c63974a
SHA2568bac326bef9044a44f45de5cfcb94584e2a3e66d229019cc64e7b087b9deb51d
SHA512ae5958ff3970063248a97e732c1963a949d0effc3006a0b8520d568035d64bcf7964c7d60a6afefeea41895a86d5ab503f0e45b9f90253fbaa906ebb19690c35
-
Filesize
5B
MD569cf10399d0d1350c3698099796624cb
SHA1d0b58b76ff065f51172971853a7da414286d9ea7
SHA256a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48
SHA5125e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7