Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19/01/2024, 14:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67d5346f47c6927f7b22b4560831fd6d.exe
Resource
win7-20231129-en
4 signatures
150 seconds
General
-
Target
67d5346f47c6927f7b22b4560831fd6d.exe
-
Size
136KB
-
MD5
67d5346f47c6927f7b22b4560831fd6d
-
SHA1
3dd01251cd5ee426e0d1eff682ebd4720c685180
-
SHA256
6d79c019dde6ccdaf4268fa7a66920ed20e34136dc50ea1a438cd032c7005f13
-
SHA512
0e6bdf51e3cdf22e2aaebcdcd38939bf040f3a3c3eb1791b0b7908cfdca56c60150ca096170bf502bdcab2f31df1095a1a2dafaa91b44da34446d1fbc296017a
-
SSDEEP
3072:th6lMeXeoMWZtBDKeH4sgETh6lMeXeoMWZtBDKeH4ss:thmHORWZvKW4CThmHORWZvKW4
Malware Config
Extracted
Family
njrat
Version
0.7d
Botnet
HacKed
C2
127.0.0.1:5552
Mutex
165d6ed988ac1dbec1627a1ca9899d84
Attributes
-
reg_key
165d6ed988ac1dbec1627a1ca9899d84
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2744 netsh.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: 33 2216 67d5346f47c6927f7b22b4560831fd6d.exe Token: SeIncBasePriorityPrivilege 2216 67d5346f47c6927f7b22b4560831fd6d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2744 2216 67d5346f47c6927f7b22b4560831fd6d.exe 28 PID 2216 wrote to memory of 2744 2216 67d5346f47c6927f7b22b4560831fd6d.exe 28 PID 2216 wrote to memory of 2744 2216 67d5346f47c6927f7b22b4560831fd6d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\67d5346f47c6927f7b22b4560831fd6d.exe"C:\Users\Admin\AppData\Local\Temp\67d5346f47c6927f7b22b4560831fd6d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\67d5346f47c6927f7b22b4560831fd6d.exe" "67d5346f47c6927f7b22b4560831fd6d.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2744
-