Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24/05/2024, 13:45
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240508-en
General
-
Target
Server.exe
-
Size
43KB
-
MD5
d263ae994c7828269ff7d3a5ec76a11b
-
SHA1
4c9dcda66fd3004be1b8e1eec4f397ddea9962d5
-
SHA256
1e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98
-
SHA512
93051cab42a41be27724206c321bff81a5389e6d4bb7038f2d7fd1bce6dd14ac9c3c1bedf48b0e30c88e0e8efaff557a26e848ef24e408799ab7738be3ebdc53
-
SSDEEP
384:lZy46NUst+3gUy6jjHK6qEsjtJEzQIij+ZsNO3PlpJKkkjh/TzF7pWna/greT0pe:vAwQh6/H1ujGuXQ/oj3+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
19.ip.gl.ply.gg:54921
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe windlogon.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe windlogon.exe -
Executes dropped EXE 3 IoCs
pid Process 4808 windlogon.exe 4108 Server.exe 2624 Server.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
resource yara_rule behavioral2/memory/1212-32-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1212-34-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral2/memory/1212-35-0x0000000000400000-0x0000000000472000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windlogon.exe\" .." windlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windlogon.exe\" .." windlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4808 set thread context of 1212 4808 windlogon.exe 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4732 schtasks.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 388 Server.exe 4808 windlogon.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: SeDebugPrivilege 1212 vbc.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe Token: 33 4808 windlogon.exe Token: SeIncBasePriorityPrivilege 4808 windlogon.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 388 wrote to memory of 4808 388 Server.exe 92 PID 388 wrote to memory of 4808 388 Server.exe 92 PID 388 wrote to memory of 4808 388 Server.exe 92 PID 4808 wrote to memory of 4732 4808 windlogon.exe 99 PID 4808 wrote to memory of 4732 4808 windlogon.exe 99 PID 4808 wrote to memory of 4732 4808 windlogon.exe 99 PID 4808 wrote to memory of 1212 4808 windlogon.exe 114 PID 4808 wrote to memory of 1212 4808 windlogon.exe 114 PID 4808 wrote to memory of 1212 4808 windlogon.exe 114 PID 4808 wrote to memory of 1212 4808 windlogon.exe 114 PID 4808 wrote to memory of 1212 4808 windlogon.exe 114 PID 4808 wrote to memory of 1212 4808 windlogon.exe 114 PID 4808 wrote to memory of 1212 4808 windlogon.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\windlogon.exe"C:\Users\Admin\AppData\Local\Temp\windlogon.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
PID:4732
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\4381014"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
PID:4108
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD525d1b50e7c0d451f3d850eb54d27ca05
SHA1a238807715c70a335f54e80d4855644b21a9e870
SHA256650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5
SHA5124223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5
-
Filesize
96B
MD54f0f313d090a031e7bfffba76d78ecab
SHA10d577bc0155b493820fb9fd842e3dde629b90459
SHA256a7546c5d43a26481aae0052942b9a7cdcfa3a5a8452c535fcbe0c62cd1df005e
SHA51251824c60159f4ed3023af2a00dacb7889dad1efeae30cdd515bf16b456c610e0b83d4d326edc75b2eb925d510b36180e147b5bb54ccd2f102fe449676d223693
-
Filesize
86KB
MD5ba98b16195f42ec57a11625d07069b32
SHA15ceb0074aea25863a9a1ba07cb622b244852b700
SHA256b33b872c1b4eb86346df012c19d0383832f8b2601e4ea221f6a439df423fc277
SHA512aab588176794399d021357736a31012bfa5f0e52ffdd437b02d590261a76032caaa29ac32fbb3919b835b54a230cc2e9d1951fa22d4b320ca6d38279b1399aef
-
Filesize
43KB
MD5d263ae994c7828269ff7d3a5ec76a11b
SHA14c9dcda66fd3004be1b8e1eec4f397ddea9962d5
SHA2561e429092e09d2f72fbe28209ea1bd98d65fff4e9a7bb6e5cd7986196b30a1f98
SHA51293051cab42a41be27724206c321bff81a5389e6d4bb7038f2d7fd1bce6dd14ac9c3c1bedf48b0e30c88e0e8efaff557a26e848ef24e408799ab7738be3ebdc53