Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 04:38
Static task
static1
Behavioral task
behavioral1
Sample
69817c6819e95aaf0298bec8e390c45e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
69817c6819e95aaf0298bec8e390c45e.exe
Resource
win10v2004-20231215-en
General
-
Target
69817c6819e95aaf0298bec8e390c45e.exe
-
Size
184KB
-
MD5
69817c6819e95aaf0298bec8e390c45e
-
SHA1
b159473871a1a2ea82af6938fbd5bb96e4e59929
-
SHA256
504120144c29d628d287057fb3ef914ba89b3672c7638af5a104771843a4913f
-
SHA512
c449e5ebe9748649cfc3cf54ab68af670d88a7ca49062a7832c80959dfee995805c26b64e54b2b5e0002a81c1b5b390e42cafc3b3a59a17ed9acfedcd31b6bc1
-
SSDEEP
768:xQPeqA6136p6Zr/GH9lOQup0RPxGOHI5QgDgW+GTX3QOF711zNxJl4R:xQGqhKurglfup0jdgDgJ4HQOD1pxJa
Malware Config
Extracted
njrat
v2.0
HacKed
error404.linkpc.net:1177
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 69817c6819e95aaf0298bec8e390c45e.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 69817c6819e95aaf0298bec8e390c45e.exe -
Executes dropped EXE 1 IoCs
pid Process 3772 Server.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\ProgramData\\Server.exe" 69817c6819e95aaf0298bec8e390c45e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe Token: 33 3772 Server.exe Token: SeIncBasePriorityPrivilege 3772 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4800 wrote to memory of 3772 4800 69817c6819e95aaf0298bec8e390c45e.exe 97 PID 4800 wrote to memory of 3772 4800 69817c6819e95aaf0298bec8e390c45e.exe 97 PID 4800 wrote to memory of 3772 4800 69817c6819e95aaf0298bec8e390c45e.exe 97 PID 4800 wrote to memory of 1420 4800 69817c6819e95aaf0298bec8e390c45e.exe 98 PID 4800 wrote to memory of 1420 4800 69817c6819e95aaf0298bec8e390c45e.exe 98 PID 4800 wrote to memory of 1420 4800 69817c6819e95aaf0298bec8e390c45e.exe 98 PID 3772 wrote to memory of 2364 3772 Server.exe 101 PID 3772 wrote to memory of 2364 3772 Server.exe 101 PID 3772 wrote to memory of 2364 3772 Server.exe 101 PID 3772 wrote to memory of 1340 3772 Server.exe 102 PID 3772 wrote to memory of 1340 3772 Server.exe 102 PID 3772 wrote to memory of 1340 3772 Server.exe 102 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 1420 attrib.exe 2364 attrib.exe 1340 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69817c6819e95aaf0298bec8e390c45e.exe"C:\Users\Admin\AppData\Local\Temp\69817c6819e95aaf0298bec8e390c45e.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\ProgramData\Server.exe"C:\ProgramData\Server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
PID:2364
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
PID:1340
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\ProgramData\Server.exe"2⤵
- Views/modifies file attributes
PID:1420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD569817c6819e95aaf0298bec8e390c45e
SHA1b159473871a1a2ea82af6938fbd5bb96e4e59929
SHA256504120144c29d628d287057fb3ef914ba89b3672c7638af5a104771843a4913f
SHA512c449e5ebe9748649cfc3cf54ab68af670d88a7ca49062a7832c80959dfee995805c26b64e54b2b5e0002a81c1b5b390e42cafc3b3a59a17ed9acfedcd31b6bc1
-
Filesize
1KB
MD5371e9f5c5222743275e228f1b3d27fb1
SHA131b0a7ada0ee8c593d1f7d4b8fa3f830566a5fd6
SHA2565684b6a81a92bef5cd5eb049a0e905dc99e7db95d907443f182614b9b48602f1
SHA51214f203f243e9c69a3b3e1beaf8599d5cd0f18627e446a3beac78cb611bb4259ffb4c47ece4da3d3ff4ee1dd01aa379b081a3548844070d3b7312f56d22ffc78f
-
Filesize
1KB
MD5a0e21c3cda955b529c05da3ebc737559
SHA17cede9bd6a34b2ddb326c3733057cf76b11e3d45
SHA256b34c6f792079e84046ce8c2049f6f233e6c235f025770a028dfc8d57bc54af8c
SHA512e37365ed423d523ca996460ab7adab0a19923906413d22cccde2f1ce144ea25deef5e1a2a6d3cc8580952ebd58438f36f5eb2cb82348e1e3d126fa248d5fc18a