Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 14:53
Behavioral task
behavioral1
Sample
start.exe
Resource
win7-20231215-en
General
-
Target
start.exe
-
Size
93KB
-
MD5
937286297fbc003e6a69fdc0f02ce8b0
-
SHA1
2ebd595bbb357264649f17f8b066941f05befefb
-
SHA256
35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
-
SHA512
9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4
-
SSDEEP
1536:t8NBNvGfr2p4dTc/hDjEwzGi1dDmD4gS:t8Yfr2p4dI/Gi1dwh
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
dead-reviewer.gl.at.ply.gg:60161
60742add55fe12a61a5fe6a3cf32e5c0
-
reg_key
60742add55fe12a61a5fe6a3cf32e5c0
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3052 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\60742add55fe12a61a5fe6a3cf32e5c0Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2448 server.exe -
Loads dropped DLL 2 IoCs
pid Process 1944 start.exe 1944 start.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File created C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Explower.exe server.exe File created C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe 2448 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2448 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe Token: 33 2448 server.exe Token: SeIncBasePriorityPrivilege 2448 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1944 wrote to memory of 2448 1944 start.exe 28 PID 1944 wrote to memory of 2448 1944 start.exe 28 PID 1944 wrote to memory of 2448 1944 start.exe 28 PID 1944 wrote to memory of 2448 1944 start.exe 28 PID 2448 wrote to memory of 3052 2448 server.exe 30 PID 2448 wrote to memory of 3052 2448 server.exe 30 PID 2448 wrote to memory of 3052 2448 server.exe 30 PID 2448 wrote to memory of 3052 2448 server.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\start.exe"C:\Users\Admin\AppData\Local\Temp\start.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3052
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5410c3c7c3e0376e2f9b228980b58d042
SHA13aec3fa12cd88edca90fdc72a0d25cd071dc2052
SHA2565c272042cede2596555e6b6f2c36857b015ccab9f34affbc63d6b000ccd08391
SHA5122a1e382b045d59580271cb05b521d0c6e99772be7cd5ce38d3e5e1997a4cb9d3fe5d424a24c67383a5a2d0002d4a2194f71e1604fa9ff0199944f8cee9b26a57
-
Filesize
93KB
MD5937286297fbc003e6a69fdc0f02ce8b0
SHA12ebd595bbb357264649f17f8b066941f05befefb
SHA25635b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf
SHA5129c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4