Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 20:39
Behavioral task
behavioral1
Sample
6896d048d27bea80e2cdbbbbe4defb2a.exe
Resource
win7-20231129-en
General
-
Target
6896d048d27bea80e2cdbbbbe4defb2a.exe
-
Size
212KB
-
MD5
6896d048d27bea80e2cdbbbbe4defb2a
-
SHA1
0c24a7442ea00f66c69bfd9a0117c4e146b81f12
-
SHA256
15f9b67ecfda417a32f745831479c6e6707c9383a76fee7688f1250927a9e698
-
SHA512
d2fce1a65d8feca888a4f5a519855979c9c26b237552651b19e3de3d841d773bb5dc0a29ad96a3ba9cbf7b3fd97ad5a5796de28834f2da0ec6d3995ca3a2923f
-
SSDEEP
3072:MJacj8v7wQ+ZGx7w8wjjP8I1IU8RjrzzvUWAOZjfKdLtY7:MJPgv7wJZ87wBjYI1IUwrIOZya7
Malware Config
Extracted
njrat
0.6.4
Hacked
abdo95.ddns.net:1177
ed6e2bf930f6d35b3ac57c049d10ac2c
-
reg_key
ed6e2bf930f6d35b3ac57c049d10ac2c
-
splitter
|'|'|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation test.exe -
Executes dropped EXE 2 IoCs
pid Process 4520 test.exe 3100 Explorer.exe -
resource yara_rule behavioral2/memory/3944-0-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3944-5-0x0000000000400000-0x0000000000498000-memory.dmp upx behavioral2/memory/3944-24-0x0000000000400000-0x0000000000498000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3944 wrote to memory of 892 3944 6896d048d27bea80e2cdbbbbe4defb2a.exe 89 PID 3944 wrote to memory of 892 3944 6896d048d27bea80e2cdbbbbe4defb2a.exe 89 PID 3944 wrote to memory of 892 3944 6896d048d27bea80e2cdbbbbe4defb2a.exe 89 PID 892 wrote to memory of 4520 892 cmd.exe 90 PID 892 wrote to memory of 4520 892 cmd.exe 90 PID 892 wrote to memory of 4520 892 cmd.exe 90 PID 4520 wrote to memory of 3100 4520 test.exe 92 PID 4520 wrote to memory of 3100 4520 test.exe 92 PID 4520 wrote to memory of 3100 4520 test.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\6896d048d27bea80e2cdbbbbe4defb2a.exe"C:\Users\Admin\AppData\Local\Temp\6896d048d27bea80e2cdbbbbe4defb2a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\Explorer.exe"C:\Users\Admin\AppData\Local\Temp\Explorer.exe"4⤵
- Executes dropped EXE
PID:3100
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5fc42513e45503d510fb011bbb309e51e
SHA1e9741466f6e68dadb9e874f12d5b62fe14693741
SHA256766240fd9026a04e4a7f20240f699133eef24a969e242afdd471ad0a179cefe3
SHA5120f2a88f96a8a47abe062ccca986d2b3d98310374629c9067b19dbfeb73f23ba411b3ca5ae3877684770fb2d25947305b42c38a913a329e6220de6cd5d539a8ca