Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 19:27
Behavioral task
behavioral1
Sample
ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe
Resource
win10v2004-20231222-en
General
-
Target
ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe
-
Size
43KB
-
MD5
1722c8695ca31163d93c6cf56f0c8530
-
SHA1
aa81bc701216ec1441565275c0bfab69376757a6
-
SHA256
ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e
-
SHA512
50830a24bb50df4db8f78522f9b4f65f689fc75d6503c1b4c8a4bb7a662e340adf3f80211523d90a4b838c1fc00d1dc01b1711ab954670b2f0ff609e9d926a1d
-
SSDEEP
384:ZZyNPzxdW/IUyNZCB5EFiLgVOcEvbl56lpzYIij+ZsNO3PlpJKkkjh/TzF7pWnt8:7oLxIghNZk5EFiLCO7bypuXQ/oQy3+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
178.187.164.4:7777
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Executes dropped EXE 1 IoCs
pid Process 4396 Dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Dllhost.exe ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe File opened for modification C:\Windows\Dllhost.exe Dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3124 ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe 4396 Dllhost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe Token: 33 4396 Dllhost.exe Token: SeIncBasePriorityPrivilege 4396 Dllhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3124 wrote to memory of 4396 3124 ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe 96 PID 3124 wrote to memory of 4396 3124 ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe 96 PID 3124 wrote to memory of 4396 3124 ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe"C:\Users\Admin\AppData\Local\Temp\ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\Dllhost.exe"C:\Windows\Dllhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD51722c8695ca31163d93c6cf56f0c8530
SHA1aa81bc701216ec1441565275c0bfab69376757a6
SHA256ef432c721d03728f4828aaecd2db265474fc13306b0d0f042df5025f2b4d9e2e
SHA51250830a24bb50df4db8f78522f9b4f65f689fc75d6503c1b4c8a4bb7a662e340adf3f80211523d90a4b838c1fc00d1dc01b1711ab954670b2f0ff609e9d926a1d