Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 04:38
Static task
static1
Behavioral task
behavioral1
Sample
69817c6819e95aaf0298bec8e390c45e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
69817c6819e95aaf0298bec8e390c45e.exe
Resource
win10v2004-20231215-en
General
-
Target
69817c6819e95aaf0298bec8e390c45e.exe
-
Size
184KB
-
MD5
69817c6819e95aaf0298bec8e390c45e
-
SHA1
b159473871a1a2ea82af6938fbd5bb96e4e59929
-
SHA256
504120144c29d628d287057fb3ef914ba89b3672c7638af5a104771843a4913f
-
SHA512
c449e5ebe9748649cfc3cf54ab68af670d88a7ca49062a7832c80959dfee995805c26b64e54b2b5e0002a81c1b5b390e42cafc3b3a59a17ed9acfedcd31b6bc1
-
SSDEEP
768:xQPeqA6136p6Zr/GH9lOQup0RPxGOHI5QgDgW+GTX3QOF711zNxJl4R:xQGqhKurglfup0jdgDgJ4HQOD1pxJa
Malware Config
Extracted
njrat
v2.0
HacKed
error404.linkpc.net:1177
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 69817c6819e95aaf0298bec8e390c45e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2916 Server.exe -
Loads dropped DLL 1 IoCs
pid Process 2512 69817c6819e95aaf0298bec8e390c45e.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\Server.exe" 69817c6819e95aaf0298bec8e390c45e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe Token: 33 2916 Server.exe Token: SeIncBasePriorityPrivilege 2916 Server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2916 2512 69817c6819e95aaf0298bec8e390c45e.exe 28 PID 2512 wrote to memory of 2916 2512 69817c6819e95aaf0298bec8e390c45e.exe 28 PID 2512 wrote to memory of 2916 2512 69817c6819e95aaf0298bec8e390c45e.exe 28 PID 2512 wrote to memory of 2916 2512 69817c6819e95aaf0298bec8e390c45e.exe 28 PID 2512 wrote to memory of 2128 2512 69817c6819e95aaf0298bec8e390c45e.exe 29 PID 2512 wrote to memory of 2128 2512 69817c6819e95aaf0298bec8e390c45e.exe 29 PID 2512 wrote to memory of 2128 2512 69817c6819e95aaf0298bec8e390c45e.exe 29 PID 2512 wrote to memory of 2128 2512 69817c6819e95aaf0298bec8e390c45e.exe 29 PID 2916 wrote to memory of 2616 2916 Server.exe 31 PID 2916 wrote to memory of 2616 2916 Server.exe 31 PID 2916 wrote to memory of 2616 2916 Server.exe 31 PID 2916 wrote to memory of 2616 2916 Server.exe 31 PID 2916 wrote to memory of 2760 2916 Server.exe 34 PID 2916 wrote to memory of 2760 2916 Server.exe 34 PID 2916 wrote to memory of 2760 2916 Server.exe 34 PID 2916 wrote to memory of 2760 2916 Server.exe 34 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2128 attrib.exe 2616 attrib.exe 2760 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69817c6819e95aaf0298bec8e390c45e.exe"C:\Users\Admin\AppData\Local\Temp\69817c6819e95aaf0298bec8e390c45e.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\ProgramData\Server.exe"C:\ProgramData\Server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
PID:2616
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
PID:2760
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\ProgramData\Server.exe"2⤵
- Views/modifies file attributes
PID:2128
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a72d3f825b5516cf7dfe99611ff3fcac
SHA1e0d6bbef34026b64c4a067673dea6828ab3ba069
SHA2560320bf2481016958396ed3b08c7f0dfc979802e2ff0910a465528b853c5c8aa5
SHA512e9279d36550a2d6866ef01545698b8b121b9beb1ad5a2070760430987359b44ae097f8aa328b9ff486c7c58e5c37dd5601e38daa462fb9ca5d0a9aabcf820e9a
-
Filesize
1022B
MD590a12727a154fc49455c961d5dc018f2
SHA1d89f852c112055ee01733db832dc96a5fb9d8c15
SHA25679589616b2fb1ea3334af190a2a6faa8b86a62e640d2e7970769da76b20eb0c7
SHA5120b5934f5d9313e11972a650c681d0e076dbd7a81fb4e5b32078ca52a71994878100cd528f8de80e11172546998591b09b1cd03e0609b2c7f91b5d3bd3840ab5f
-
Filesize
184KB
MD569817c6819e95aaf0298bec8e390c45e
SHA1b159473871a1a2ea82af6938fbd5bb96e4e59929
SHA256504120144c29d628d287057fb3ef914ba89b3672c7638af5a104771843a4913f
SHA512c449e5ebe9748649cfc3cf54ab68af670d88a7ca49062a7832c80959dfee995805c26b64e54b2b5e0002a81c1b5b390e42cafc3b3a59a17ed9acfedcd31b6bc1