Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 05:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
69a01b31f7427a00ca421d1c5402bb39.exe
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
69a01b31f7427a00ca421d1c5402bb39.exe
-
Size
14.1MB
-
MD5
69a01b31f7427a00ca421d1c5402bb39
-
SHA1
cb91ab7dcda75854540b2ce4d9e256c182628933
-
SHA256
0bbffda2c769cd4b7efa369c9f4415d5b15bb2f7b09e80f580df03df7e1fd0a8
-
SHA512
a82eb84f981a12415390c15375879487b48238df2996399c36de179bfb05b2430adf7c832d7897436f70407ddd9dd30fa2e6a171f81f0769dba51db80b8c97fc
-
SSDEEP
49152:WSjbBiX3D1Pdd0LblDCZUUlQXGKzIQl7RDPqzUuRTrW3ERL6YmKR7BUye5x+RnRc:
Malware Config
Extracted
Family
njrat
Version
im523
Botnet
HacKed
C2
mgoogloe.ddns.net:3055
Mutex
608b43860bd3442535512bd18040ddc1
Attributes
-
reg_key
608b43860bd3442535512bd18040ddc1
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3648 netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: 33 3216 69a01b31f7427a00ca421d1c5402bb39.exe Token: SeIncBasePriorityPrivilege 3216 69a01b31f7427a00ca421d1c5402bb39.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3216 wrote to memory of 3648 3216 69a01b31f7427a00ca421d1c5402bb39.exe 93 PID 3216 wrote to memory of 3648 3216 69a01b31f7427a00ca421d1c5402bb39.exe 93 PID 3216 wrote to memory of 3648 3216 69a01b31f7427a00ca421d1c5402bb39.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\69a01b31f7427a00ca421d1c5402bb39.exe"C:\Users\Admin\AppData\Local\Temp\69a01b31f7427a00ca421d1c5402bb39.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\69a01b31f7427a00ca421d1c5402bb39.exe" "69a01b31f7427a00ca421d1c5402bb39.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:3648
-