Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 07:57
Behavioral task
behavioral1
Sample
64e03ce9d4db10ad22af9fdecf8e750b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
64e03ce9d4db10ad22af9fdecf8e750b.exe
Resource
win10v2004-20231215-en
General
-
Target
64e03ce9d4db10ad22af9fdecf8e750b.exe
-
Size
230KB
-
MD5
64e03ce9d4db10ad22af9fdecf8e750b
-
SHA1
b9fe3564b39f85feac38877320562d345fa31300
-
SHA256
e9cafe0e597dea98a327b31ceb7bcf8a6a90c90d729b6709c0b8819efb53ceec
-
SHA512
815d7f97eb088e3dee422b1fdf7ad9fae6796ad1d7648c46942610d48074042d7d6ea2073ca6d65df86d91b6b8e16c5d03d90a042272c5ea74783f3e62c69ec1
-
SSDEEP
1536:e/gDBnYi9bV1BZV0CbD/csMunng0P5JkcrOGEoUjMJC:e4ZYi9bV1BZV0C3csjnbJkoVBUg8
Malware Config
Extracted
njrat
v2.0
HacKed
79.224.89.201:5552
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 64e03ce9d4db10ad22af9fdecf8e750b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 1 IoCs
pid Process 2440 Payload.exe -
Loads dropped DLL 1 IoCs
pid Process 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 64e03ce9d4db10ad22af9fdecf8e750b.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe Token: 33 2440 Payload.exe Token: SeIncBasePriorityPrivilege 2440 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2440 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe 28 PID 2332 wrote to memory of 2440 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe 28 PID 2332 wrote to memory of 2440 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe 28 PID 2332 wrote to memory of 2440 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe 28 PID 2332 wrote to memory of 2620 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe 29 PID 2332 wrote to memory of 2620 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe 29 PID 2332 wrote to memory of 2620 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe 29 PID 2332 wrote to memory of 2620 2332 64e03ce9d4db10ad22af9fdecf8e750b.exe 29 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2620 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64e03ce9d4db10ad22af9fdecf8e750b.exe"C:\Users\Admin\AppData\Local\Temp\64e03ce9d4db10ad22af9fdecf8e750b.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
PID:2620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5406cb5d8884554b910ec2985051e04b9
SHA16c2caa778ff91890041c687a8f0d7bfb3496c72d
SHA2566f65ea8e387ca72e00d035cd0c38570a196414187ff069577491764e1f601bd1
SHA5122f8418c76878a6e1dec7fe2ce4e7f47734cd01e9a8c812995263e5f57a67adc4761923a2c00a9cffecec73b2080e8f03c6fcd07d6d18b5c0154cd2542f02a182
-
Filesize
1018B
MD57cbc2d82c4f90ff978979a21634aa85e
SHA1cc595afa4a2f17360b23218aa002e3e31e29b408
SHA25621f7e2b15bbe313f5bb49f27e5a11296c63cf26c625e2da423b1e18df0bbb5a0
SHA5123c11f0c560084e7e85183a0d28463308ce9df197616c36b1a6d912657364e9f83730c82b94673c8bab4130c26c417ff668b3a19abccfb360855d2d374ed8ddff
-
Filesize
230KB
MD564e03ce9d4db10ad22af9fdecf8e750b
SHA1b9fe3564b39f85feac38877320562d345fa31300
SHA256e9cafe0e597dea98a327b31ceb7bcf8a6a90c90d729b6709c0b8819efb53ceec
SHA512815d7f97eb088e3dee422b1fdf7ad9fae6796ad1d7648c46942610d48074042d7d6ea2073ca6d65df86d91b6b8e16c5d03d90a042272c5ea74783f3e62c69ec1