Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
MOhui.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
MOhui.exe
Resource
win10v2004-20231215-en
General
-
Target
MOhui.exe
-
Size
208KB
-
MD5
5791a91914003e2092f958a30f477fee
-
SHA1
91610dd4e2ba51be830f1cc576c51f0c5b8e76ce
-
SHA256
ec5aafc513b950544018cfc4b2bebdf7f7edbb09783f76027f28fcf56c4b6433
-
SHA512
dccce72364adbad71685b0170ec253af45e8e13dcceb93a53316373cc7b37a77754f5909b785fd38883d91f4988230ae4ce35a3381bc43dcd6b372086bc6e797
-
SSDEEP
3072:eg2XPv0WW+nz9NgNg8gt72gnTDyuJAweOqiHCKgcmKq/Ybrgl+xbGlSDxajDM1iT:egOMWhPyg8gFXTJFxu4kYoUL18l4
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
162f71f7ffbaf34cff578886b8650868
-
reg_key
162f71f7ffbaf34cff578886b8650868
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2704 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2816 uhyhher.exe -
Loads dropped DLL 2 IoCs
pid Process 2136 MOhui.exe 1092 Process not Found -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\162f71f7ffbaf34cff578886b8650868 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uhyhher.exe\" .." uhyhher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\162f71f7ffbaf34cff578886b8650868 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uhyhher.exe\" .." uhyhher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe Token: 33 2816 uhyhher.exe Token: SeIncBasePriorityPrivilege 2816 uhyhher.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2136 wrote to memory of 2816 2136 MOhui.exe 28 PID 2136 wrote to memory of 2816 2136 MOhui.exe 28 PID 2136 wrote to memory of 2816 2136 MOhui.exe 28 PID 2816 wrote to memory of 2704 2816 uhyhher.exe 29 PID 2816 wrote to memory of 2704 2816 uhyhher.exe 29 PID 2816 wrote to memory of 2704 2816 uhyhher.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\MOhui.exe"C:\Users\Admin\AppData\Local\Temp\MOhui.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\uhyhher.exe"C:\Users\Admin\AppData\Local\Temp\uhyhher.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\uhyhher.exe" "uhyhher.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208KB
MD55791a91914003e2092f958a30f477fee
SHA191610dd4e2ba51be830f1cc576c51f0c5b8e76ce
SHA256ec5aafc513b950544018cfc4b2bebdf7f7edbb09783f76027f28fcf56c4b6433
SHA512dccce72364adbad71685b0170ec253af45e8e13dcceb93a53316373cc7b37a77754f5909b785fd38883d91f4988230ae4ce35a3381bc43dcd6b372086bc6e797