Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 06:09
Behavioral task
behavioral1
Sample
7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe
Resource
win10v2004-20231222-en
General
-
Target
7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe
-
Size
93KB
-
MD5
36b911da6d9248ad4b683901b0460612
-
SHA1
02b48d75fea67a4cbcea96857f82d220aff9782a
-
SHA256
7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319
-
SHA512
7c284d23072ee1064ba88964c6ba974b7f307df8d4a7d569b89d1ae271c0c2b054afe468abceb53f987482e85fd7ee73d8443ad8343c3b71ccdd2025ad9c9f92
-
SSDEEP
1536:vCwC+xhUa9urgOBPRNvM4jEwzGi1dDLDogS:vCmUa9urgObdGi1dbR
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
fallenvrsdo7ne.ddns.net:1177
a22a0a6dceeda228b546e36a480dbdfb
-
reg_key
a22a0a6dceeda228b546e36a480dbdfb
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2736 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a22a0a6dceeda228b546e36a480dbdfbWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a22a0a6dceeda228b546e36a480dbdfbWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2776 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2880 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe 2880 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2776 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe Token: 33 2776 server.exe Token: SeIncBasePriorityPrivilege 2776 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2776 2880 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe 28 PID 2880 wrote to memory of 2776 2880 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe 28 PID 2880 wrote to memory of 2776 2880 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe 28 PID 2880 wrote to memory of 2776 2880 7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe 28 PID 2776 wrote to memory of 2736 2776 server.exe 29 PID 2776 wrote to memory of 2736 2776 server.exe 29 PID 2776 wrote to memory of 2736 2776 server.exe 29 PID 2776 wrote to memory of 2736 2776 server.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe"C:\Users\Admin\AppData\Local\Temp\7c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5410c3c7c3e0376e2f9b228980b58d042
SHA13aec3fa12cd88edca90fdc72a0d25cd071dc2052
SHA2565c272042cede2596555e6b6f2c36857b015ccab9f34affbc63d6b000ccd08391
SHA5122a1e382b045d59580271cb05b521d0c6e99772be7cd5ce38d3e5e1997a4cb9d3fe5d424a24c67383a5a2d0002d4a2194f71e1604fa9ff0199944f8cee9b26a57
-
Filesize
93KB
MD536b911da6d9248ad4b683901b0460612
SHA102b48d75fea67a4cbcea96857f82d220aff9782a
SHA2567c4da1ee111a7d7a9e5330c320ab947e1750b261f10752544d554745b266f319
SHA5127c284d23072ee1064ba88964c6ba974b7f307df8d4a7d569b89d1ae271c0c2b054afe468abceb53f987482e85fd7ee73d8443ad8343c3b71ccdd2025ad9c9f92