Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 10:10
Static task
static1
Behavioral task
behavioral1
Sample
6d094c28983399f4e67187df97acb68e.exe
Resource
win7-20231215-en
General
-
Target
6d094c28983399f4e67187df97acb68e.exe
-
Size
624KB
-
MD5
6d094c28983399f4e67187df97acb68e
-
SHA1
7fd102da844cc18501ba536222e4192aaa4f2f64
-
SHA256
66d97c4d0bbce8d037eac53dab2c813863517a1e85fe8c06277a5bef1b6d6a7d
-
SHA512
e5d64676b0d85acdc3d2412b7f2dfd791c17ac13b9246602c46d7d655f85aaf243703c34c4a3233b39ee5c3f30a0340856ff716c51a4cf183ba0ae549b73d4bc
-
SSDEEP
3072:tSq4n6wVOvf2cxuIMMcxuIMLb8YZCuFqa/wnHCKK8GgiY:tSqoVm2cTcY8WYRcznY
Malware Config
Extracted
https://archive.org/download/runpe2_20210708/runpe2.iso
https://archive.org/download/runpe1_20210708/runpe1.iso
Extracted
njrat
v2.0
HacKed
yytht4t444.ddns.net:2222
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 21 1952 powershell.exe 23 1952 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 6d094c28983399f4e67187df97acb68e.exe Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 5096 cc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1952 set thread context of 4040 1952 powershell.exe 103 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings 6d094c28983399f4e67187df97acb68e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe 1952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeBackupPrivilege 5060 dw20.exe Token: SeBackupPrivilege 5060 dw20.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe Token: 33 4040 MSBuild.exe Token: SeIncBasePriorityPrivilege 4040 MSBuild.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5096 cc.exe 5096 cc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4224 wrote to memory of 5096 4224 6d094c28983399f4e67187df97acb68e.exe 88 PID 4224 wrote to memory of 5096 4224 6d094c28983399f4e67187df97acb68e.exe 88 PID 5096 wrote to memory of 5060 5096 cc.exe 91 PID 5096 wrote to memory of 5060 5096 cc.exe 91 PID 4224 wrote to memory of 3872 4224 6d094c28983399f4e67187df97acb68e.exe 97 PID 4224 wrote to memory of 3872 4224 6d094c28983399f4e67187df97acb68e.exe 97 PID 3872 wrote to memory of 1952 3872 WScript.exe 101 PID 3872 wrote to memory of 1952 3872 WScript.exe 101 PID 1952 wrote to memory of 4040 1952 powershell.exe 103 PID 1952 wrote to memory of 4040 1952 powershell.exe 103 PID 1952 wrote to memory of 4040 1952 powershell.exe 103 PID 1952 wrote to memory of 4040 1952 powershell.exe 103 PID 1952 wrote to memory of 4040 1952 powershell.exe 103 PID 1952 wrote to memory of 4040 1952 powershell.exe 103 PID 1952 wrote to memory of 4040 1952 powershell.exe 103 PID 1952 wrote to memory of 4040 1952 powershell.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d094c28983399f4e67187df97acb68e.exe"C:\Users\Admin\AppData\Local\Temp\6d094c28983399f4e67187df97acb68e.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\Pictures\cc.exe"C:\Users\Admin\Pictures\cc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 11723⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Pictures\Defender32.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -command C:\Users\Public\Datax.ps1;3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
15KB
MD53e440309fcf0deb8219c7f97bfbb2141
SHA1ac8188052c50230b10451140a4e4ae53a07aa60b
SHA256f34dc24cdbd5dba5de9ed0cfc5c7e3ce5a504c12e6631ec2aec7cd749007b11f
SHA51203729f0bb30920e4d6045dce97fab5e984eca0572009bd412166376cc676a6b1336b12daf3649d53edbc9012349b54923e3cef4faed7c5d794c1aeb8228c3945
-
Filesize
563KB
MD5b3e4312db76b35663728f2ce7fae143a
SHA1b3884a89f4ecd469ebaad3a03ff7e89145cc427b
SHA25668fe607aa500c33f3b69d274bcf770622594df431cd25780090f3ef5a7f75539
SHA5127f0a7a57385990390c949724b166c1683833150bb892881a4d7b171a970e0649a9d7206b9b2d0a88b607d16105cdd9c1dec1a761872bc17c16e559f9c27b9a95
-
Filesize
613B
MD536d123f188849666f11e983230b62722
SHA176d8c01a5de6d397aea011e011df032a1a3bab6c
SHA256512514eae37973872640a41cce70e6b825a6d7e4da50ee25d35d37e352f67514
SHA5120977f7eb3eeed46d778e3467ea9115bae82caf9f2664f3f76e762a099bb1daa098520af590b6c030f36ae2516707be6f84eae1788d76492e800ae3e2df27f632