Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 18:17
Behavioral task
behavioral1
Sample
celestial crack.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
celestial crack.exe
Resource
win10v2004-20231215-en
General
-
Target
celestial crack.exe
-
Size
134KB
-
MD5
3569db129cff7f9fa82809163432c4ca
-
SHA1
731902dc450523664d92dba7822f9e14d7e25293
-
SHA256
b879ee29bdb0b353e8d2e1697296af70e256fcec9e560a973b8d6360be60460c
-
SHA512
f880d5c5ffd6a8fb90fad9f0100220bce4f285ff3963c73511bf9d87effecdc96562309390aa7c1a0fb912f620c2484e25b2e0e736e1d666a13cd8f184b1dea3
-
SSDEEP
3072:xV28wLn+yJV5UKKA8foBVaM8SKfbzxcwg7es6/Vsb8VKTu:G8wqtKGgBdUhcX7elbKTu
Malware Config
Extracted
njrat
im523
HacKed
5.tcp.eu.ngrok.io:17912
d1cc93bd33e3564c2d5d5688d8b6c4a2
-
reg_key
d1cc93bd33e3564c2d5d5688d8b6c4a2
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2704 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d1cc93bd33e3564c2d5d5688d8b6c4a2.exe 77$.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d1cc93bd33e3564c2d5d5688d8b6c4a2.exe 77$.exe -
Executes dropped EXE 1 IoCs
pid Process 2144 77$.exe -
Loads dropped DLL 1 IoCs
pid Process 2032 celestial crack.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\d1cc93bd33e3564c2d5d5688d8b6c4a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\77$.exe\" .." 77$.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d1cc93bd33e3564c2d5d5688d8b6c4a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\77$.exe\" .." 77$.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf 77$.exe File created C:\autorun.inf 77$.exe File opened for modification C:\autorun.inf 77$.exe File created D:\autorun.inf 77$.exe File created F:\autorun.inf 77$.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe 2144 77$.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2144 77$.exe Token: 33 2144 77$.exe Token: SeIncBasePriorityPrivilege 2144 77$.exe Token: 33 2144 77$.exe Token: SeIncBasePriorityPrivilege 2144 77$.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2144 2032 celestial crack.exe 28 PID 2032 wrote to memory of 2144 2032 celestial crack.exe 28 PID 2032 wrote to memory of 2144 2032 celestial crack.exe 28 PID 2032 wrote to memory of 2144 2032 celestial crack.exe 28 PID 2144 wrote to memory of 2704 2144 77$.exe 29 PID 2144 wrote to memory of 2704 2144 77$.exe 29 PID 2144 wrote to memory of 2704 2144 77$.exe 29 PID 2144 wrote to memory of 2704 2144 77$.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\celestial crack.exe"C:\Users\Admin\AppData\Local\Temp\celestial crack.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\77$.exe"C:\Users\Admin\AppData\Local\Temp\77$.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\77$.exe" "77$.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD53569db129cff7f9fa82809163432c4ca
SHA1731902dc450523664d92dba7822f9e14d7e25293
SHA256b879ee29bdb0b353e8d2e1697296af70e256fcec9e560a973b8d6360be60460c
SHA512f880d5c5ffd6a8fb90fad9f0100220bce4f285ff3963c73511bf9d87effecdc96562309390aa7c1a0fb912f620c2484e25b2e0e736e1d666a13cd8f184b1dea3