Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3Julien_and..._C.rar
windows11-21h2-x64
7Julien and...hy.dll
windows11-21h2-x64
1Julien and...rs.dll
windows11-21h2-x64
1Julien and...ds.dll
windows11-21h2-x64
1Julien and...re.dll
windows11-21h2-x64
1Julien and...ns.dll
windows11-21h2-x64
1Julien and...st.dll
windows11-21h2-x64
1Julien and...et.dll
windows11-21h2-x64
1Julien and...ok.dll
windows11-21h2-x64
1Julien and...er.dll
windows11-21h2-x64
1Julien and...es.dll
windows11-21h2-x64
1Julien and...ns.dll
windows11-21h2-x64
1Julien and...on.dll
windows11-21h2-x64
1Julien and...er.exe
windows11-21h2-x64
1Julien and...rs.dll
windows11-21h2-x64
1Julien and...le.dll
windows11-21h2-x64
1Julien and...el.dll
windows11-21h2-x64
1Julien and...on.dll
windows11-21h2-x64
1Julien and...ng.dll
windows11-21h2-x64
1Julien and...me.dll
windows11-21h2-x64
1Julien and...ts.dll
windows11-21h2-x64
1Julien and...es.dll
windows11-21h2-x64
1Julien and...nc.dll
windows11-21h2-x64
1Julien and...nc.dll
windows11-21h2-x64
1Julien and...ry.dll
windows11-21h2-x64
1Julien and...rs.dll
windows11-21h2-x64
1Julien and...ve.dll
windows11-21h2-x64
1Julien and...ta.dll
windows11-21h2-x64
1Julien and...fe.dll
windows11-21h2-x64
1Julien and...es.dll
windows11-21h2-x64
1Julien and...ns.dll
windows11-21h2-x64
1Julien and...le.dll
windows11-21h2-x64
1Resubmissions
28/02/2024, 11:10
240228-m96traab8y 728/02/2024, 11:07
240228-m7zbwsab3z 728/02/2024, 11:06
240228-m7grvaaa72 7Analysis
-
max time kernel
147s -
max time network
159s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/02/2024, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
Julien_and_anarchi_selfsniper_C.rar
Resource
win11-20240221-en
Behavioral task
behavioral2
Sample
Julien and anarchi selfsniper C#/Discord.Net-Anarchy.dll
Resource
win11-20240221-en
Behavioral task
behavioral3
Sample
Julien and anarchi selfsniper C#/Discord.Net.Analyzers.dll
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
Julien and anarchi selfsniper C#/Discord.Net.Commands.dll
Resource
win11-20240221-en
Behavioral task
behavioral5
Sample
Julien and anarchi selfsniper C#/Discord.Net.Core.dll
Resource
win11-20240221-en
Behavioral task
behavioral6
Sample
Julien and anarchi selfsniper C#/Discord.Net.Interactions.dll
Resource
win11-20240221-en
Behavioral task
behavioral7
Sample
Julien and anarchi selfsniper C#/Discord.Net.Rest.dll
Resource
win11-20240221-en
Behavioral task
behavioral8
Sample
Julien and anarchi selfsniper C#/Discord.Net.WebSocket.dll
Resource
win11-20240221-en
Behavioral task
behavioral9
Sample
Julien and anarchi selfsniper C#/Discord.Net.Webhook.dll
Resource
win11-20240221-en
Behavioral task
behavioral10
Sample
Julien and anarchi selfsniper C#/Humanizer.dll
Resource
win11-20240221-en
Behavioral task
behavioral11
Sample
Julien and anarchi selfsniper C#/Microsoft.Bcl.AsyncInterfaces.dll
Resource
win11-20240221-en
Behavioral task
behavioral12
Sample
Julien and anarchi selfsniper C#/Microsoft.Extensions.DependencyInjection.Abstractions.dll
Resource
win11-20240221-en
Behavioral task
behavioral13
Sample
Julien and anarchi selfsniper C#/Newtonsoft.Json.dll
Resource
win11-20240221-en
Behavioral task
behavioral14
Sample
Julien and anarchi selfsniper C#/NitroSniper.exe
Resource
win11-20240221-en
Behavioral task
behavioral15
Sample
Julien and anarchi selfsniper C#/System.Buffers.dll
Resource
win11-20240221-en
Behavioral task
behavioral16
Sample
Julien and anarchi selfsniper C#/System.Collections.Immutable.dll
Resource
win11-20240221-en
Behavioral task
behavioral17
Sample
Julien and anarchi selfsniper C#/System.Composition.AttributedModel.dll
Resource
win11-20240221-en
Behavioral task
behavioral18
Sample
Julien and anarchi selfsniper C#/System.Composition.Convention.dll
Resource
win11-20240221-en
Behavioral task
behavioral19
Sample
Julien and anarchi selfsniper C#/System.Composition.Hosting.dll
Resource
win11-20240221-en
Behavioral task
behavioral20
Sample
Julien and anarchi selfsniper C#/System.Composition.Runtime.dll
Resource
win11-20240221-en
Behavioral task
behavioral21
Sample
Julien and anarchi selfsniper C#/System.Composition.TypedParts.dll
Resource
win11-20240221-en
Behavioral task
behavioral22
Sample
Julien and anarchi selfsniper C#/System.IO.Pipelines.dll
Resource
win11-20240221-en
Behavioral task
behavioral23
Sample
Julien and anarchi selfsniper C#/System.Interactive.Async.dll
Resource
win11-20240221-en
Behavioral task
behavioral24
Sample
Julien and anarchi selfsniper C#/System.Linq.Async.dll
Resource
win11-20240221-en
Behavioral task
behavioral25
Sample
Julien and anarchi selfsniper C#/System.Memory.dll
Resource
win11-20240221-en
Behavioral task
behavioral26
Sample
Julien and anarchi selfsniper C#/System.Numerics.Vectors.dll
Resource
win11-20240221-en
Behavioral task
behavioral27
Sample
Julien and anarchi selfsniper C#/System.Reactive.dll
Resource
win11-20240221-en
Behavioral task
behavioral28
Sample
Julien and anarchi selfsniper C#/System.Reflection.Metadata.dll
Resource
win11-20240221-en
Behavioral task
behavioral29
Sample
Julien and anarchi selfsniper C#/System.Runtime.CompilerServices.Unsafe.dll
Resource
win11-20240221-en
Behavioral task
behavioral30
Sample
Julien and anarchi selfsniper C#/System.Text.Encoding.CodePages.dll
Resource
win11-20240221-en
Behavioral task
behavioral31
Sample
Julien and anarchi selfsniper C#/System.Threading.Tasks.Extensions.dll
Resource
win11-20240221-en
Behavioral task
behavioral32
Sample
Julien and anarchi selfsniper C#/System.ValueTuple.dll
Resource
win11-20240221-en
General
-
Target
Julien_and_anarchi_selfsniper_C.rar
-
Size
2.9MB
-
MD5
cc5610e6313e3ae170f1c51397c51ed0
-
SHA1
8f90b6802b1b290e808920895ba74490d524416e
-
SHA256
53cd6d57499142348253949c4c6cee9b696a78fa99a5a68fcd6f78e55776cd63
-
SHA512
75828bb0e08d8dc2d3ac85974127a059277c084bd76d022eb6679a3231a28adff248e133a53bbd7b892a72ab79836ed69e8506281f67162c65ea2db3b1a44609
-
SSDEEP
49152:ipGqHPpVT+bzj++y6wDsAeWUyi0ELfl4pUxaiBMt9TOdKfH7ZnptvHi7NWVxAq/a:6GqHxVabz7PAUtLfl4p6QwdKzZpFk0Cf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3696 NitroSniper.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 5 camo.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3840 msedge.exe 3840 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5004 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 5004 7zFM.exe Token: 35 5004 7zFM.exe Token: SeSecurityPrivilege 5004 7zFM.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 5004 7zFM.exe 5004 7zFM.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe 4856 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4920 wrote to memory of 5004 4920 cmd.exe 82 PID 4920 wrote to memory of 5004 4920 cmd.exe 82 PID 5004 wrote to memory of 3696 5004 7zFM.exe 85 PID 5004 wrote to memory of 3696 5004 7zFM.exe 85 PID 5004 wrote to memory of 3696 5004 7zFM.exe 85 PID 3696 wrote to memory of 4856 3696 NitroSniper.exe 87 PID 3696 wrote to memory of 4856 3696 NitroSniper.exe 87 PID 4856 wrote to memory of 4052 4856 msedge.exe 88 PID 4856 wrote to memory of 4052 4856 msedge.exe 88 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3484 4856 msedge.exe 89 PID 4856 wrote to memory of 3840 4856 msedge.exe 90 PID 4856 wrote to memory of 3840 4856 msedge.exe 90 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91 PID 4856 wrote to memory of 4540 4856 msedge.exe 91
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Julien_and_anarchi_selfsniper_C.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Julien_and_anarchi_selfsniper_C.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\7zOC836ADA7\NitroSniper.exe"C:\Users\Admin\AppData\Local\Temp\7zOC836ADA7\NitroSniper.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Disc0rdTools/NitroSniper4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9dce3cb8,0x7ffc9dce3cc8,0x7ffc9dce3cd85⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:25⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:85⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:15⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,9331831746685540062,11576783743886043656,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:15⤵PID:4612
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3640
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5601fbcb77ed9464402ad83ed36803fd1
SHA19a34f45553356ec48b03c4d2b2aa089b44c6532d
SHA25609d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15
SHA512c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220
-
Filesize
152B
MD5a91469041c09ba8e6c92487f02ca8040
SHA17207eded6577ec8dc3962cd5c3b093d194317ea1
SHA2560fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f
SHA512b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f
-
Filesize
6KB
MD5d7ec261da2ac26279c7f8b3429e013a5
SHA181a735315b6f8171bb8331f60c828468653f43d6
SHA25631c43682d011108de6717c4c1b2749ba3f67f61f671c663fa516129689277067
SHA512b1430745f9137974eb894c60934a74244efbfef4ef80434430510d20de0aea124a402560fec5c6d7aabc40619f2ed175a3d86e5a41070c0d1ca047e171596edc
-
Filesize
1.9MB
MD5d5e815c37b6ed6465820693673e35da8
SHA1335d5b7c1056b6d6010db628963051f1a244ddbe
SHA256934d2022814c6dfb0145608d9d270597d46feec5ce833d754576d6a73650a632
SHA512e9775eae34493d94bc96aa3adc25f95cba4c45d4b263565f23e834409cbd122ab731f052595382d7ab8857c133c8068644bb100ad03cdd3201e6fc5bdc4280a9