Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/01/2024, 05:45
Behavioral task
behavioral1
Sample
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
Resource
win10v2004-20231222-en
General
-
Target
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
-
Size
31KB
-
MD5
a5ad2d1796744144d739569bb466b307
-
SHA1
42de0164c8cbd9b6c64100de720d2e0c49ebcb77
-
SHA256
d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
-
SHA512
45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9
-
SSDEEP
384:c8LBBi/W/7mgEp87wYK2GePqZhbM2AQk93vmhm7UMKmIEecKdbXTzm9bVhcaO6fd:5W/sqoHT2A/vMHTi9bD/Qz1n
Malware Config
Extracted
njrat
v2.0
HacKed
172.20.6.206:1992
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe -
Executes dropped EXE 1 IoCs
pid Process 2540 Payload.exe -
Loads dropped DLL 1 IoCs
pid Process 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe Token: 33 2540 Payload.exe Token: SeIncBasePriorityPrivilege 2540 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2540 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 28 PID 1680 wrote to memory of 2540 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 28 PID 1680 wrote to memory of 2540 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 28 PID 1680 wrote to memory of 2540 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 28 PID 1680 wrote to memory of 2636 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 29 PID 1680 wrote to memory of 2636 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 29 PID 1680 wrote to memory of 2636 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 29 PID 1680 wrote to memory of 2636 1680 d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe 29 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2636 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5406cb5d8884554b910ec2985051e04b9
SHA16c2caa778ff91890041c687a8f0d7bfb3496c72d
SHA2566f65ea8e387ca72e00d035cd0c38570a196414187ff069577491764e1f601bd1
SHA5122f8418c76878a6e1dec7fe2ce4e7f47734cd01e9a8c812995263e5f57a67adc4761923a2c00a9cffecec73b2080e8f03c6fcd07d6d18b5c0154cd2542f02a182
-
Filesize
1018B
MD57cbc2d82c4f90ff978979a21634aa85e
SHA1cc595afa4a2f17360b23218aa002e3e31e29b408
SHA25621f7e2b15bbe313f5bb49f27e5a11296c63cf26c625e2da423b1e18df0bbb5a0
SHA5123c11f0c560084e7e85183a0d28463308ce9df197616c36b1a6d912657364e9f83730c82b94673c8bab4130c26c417ff668b3a19abccfb360855d2d374ed8ddff
-
Filesize
31KB
MD5a5ad2d1796744144d739569bb466b307
SHA142de0164c8cbd9b6c64100de720d2e0c49ebcb77
SHA256d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9
SHA51245fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9