Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20/06/2024, 01:15
Static task
static1
Behavioral task
behavioral1
Sample
a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe
Resource
win10v2004-20240508-en
General
-
Target
a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe
-
Size
115KB
-
MD5
efcd19db208e7ccbbea917ed18cae43a
-
SHA1
1ac3f2f6b17dccd029006d007da7401dd4b2a18f
-
SHA256
a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358
-
SHA512
19c09886cf52aa39ae6d0c3b3d887471bd3ff53b54203759067ad6d5c5f59ebac6bc74680b7d34ac62ed5bdfdaa1e3f2c3ce790c8f47f53bc1c2b92c563602fc
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6wF:P5eznsjsguGDFqGZ2riE
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 888 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2108 chargeable.exe 1176 chargeable.exe -
Loads dropped DLL 2 IoCs
pid Process 1644 a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe 1644 a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe" a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2108 set thread context of 1176 2108 chargeable.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 1176 chargeable.exe Token: 33 1176 chargeable.exe Token: SeIncBasePriorityPrivilege 1176 chargeable.exe Token: 33 1176 chargeable.exe Token: SeIncBasePriorityPrivilege 1176 chargeable.exe Token: 33 1176 chargeable.exe Token: SeIncBasePriorityPrivilege 1176 chargeable.exe Token: 33 1176 chargeable.exe Token: SeIncBasePriorityPrivilege 1176 chargeable.exe Token: 33 1176 chargeable.exe Token: SeIncBasePriorityPrivilege 1176 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1644 wrote to memory of 2108 1644 a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe 28 PID 1644 wrote to memory of 2108 1644 a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe 28 PID 1644 wrote to memory of 2108 1644 a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe 28 PID 1644 wrote to memory of 2108 1644 a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe 28 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 2108 wrote to memory of 1176 2108 chargeable.exe 31 PID 1176 wrote to memory of 888 1176 chargeable.exe 32 PID 1176 wrote to memory of 888 1176 chargeable.exe 32 PID 1176 wrote to memory of 888 1176 chargeable.exe 32 PID 1176 wrote to memory of 888 1176 chargeable.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe"C:\Users\Admin\AppData\Local\Temp\a0d32b7a7755b312af45165c7c2814e0cca2992da18224f0776258b484fd3358.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:888
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a48ee4050559a0b972a9eac8e13cdf77
SHA15b181a65da02c1c11347d16e789689a80d2ede45
SHA2568005b31a9ee6596a36b0dc3fda4eda56c32491db93e2f864aa8c47f47c71b8c5
SHA512859c29a8c2521645a79049c960d06e870c1127a28b3fc4773808d17ba7e7648eb8fb36771f4efb47dce99b4823eea238c393fd9cd15bfd3e9d5ad5ea37c968ce
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
115KB
MD59235b9e3cdec2f70031fd862cf8823e3
SHA144668fadb3c1f17d3db981d55c1f0cbd803d9cee
SHA256b3d8d80835476becabd09d464846bba42c8b070a60d07c19309b27e3a0afb344
SHA5125bceb0955196ea4663b691ef6b5e7e1f69a6a6ec9a0b0a7239cf8ead1e2595707118afe8a8c16afe5e692fbb7078ff634414a47c458b13e0e5cb36adb8a99203