Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 11:50
Behavioral task
behavioral1
Sample
Plague crack/Client.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Plague crack/Client.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
Plague crack/Launcher.bat
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
Plague crack/Launcher.bat
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
Plague crack/Loader.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
Plague crack/Loader.exe
Resource
win10v2004-20240709-en
General
-
Target
Plague crack/Client.exe
-
Size
31KB
-
MD5
390d34e903b86af3619fd35dd30378c6
-
SHA1
0e2fedee3f816ae525643dd61d3841c57f99803a
-
SHA256
d5a59b3315fce1989e6681262328e355f228a0691cef9b693d8b721c88830d1b
-
SHA512
410f7d82cc51fd5ef4aef8d2cecbaebd833d600f2d1c942846302a6cce3f9cdf9823fcfd9b9daa7cf1988eb07c36dc7e3a240eaad1f0d3315270031129a2cedd
-
SSDEEP
768:4DMXJwpJbb2zxxO5Y6qn+4isfvKwQmIDUu0tijMj:1kKW4isLQVkNj
Malware Config
Extracted
njrat
0.7d
sv_chost.exe
192.168.176.1:6522
d170bd0301e70420e220fb7a5c621fdf
-
reg_key
d170bd0301e70420e220fb7a5c621fdf
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2972 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2892 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2108 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe Token: 33 2892 svchost.exe Token: SeIncBasePriorityPrivilege 2892 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2892 2108 Client.exe 30 PID 2108 wrote to memory of 2892 2108 Client.exe 30 PID 2108 wrote to memory of 2892 2108 Client.exe 30 PID 2108 wrote to memory of 2892 2108 Client.exe 30 PID 2892 wrote to memory of 2972 2892 svchost.exe 31 PID 2892 wrote to memory of 2972 2892 svchost.exe 31 PID 2892 wrote to memory of 2972 2892 svchost.exe 31 PID 2892 wrote to memory of 2972 2892 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Plague crack\Client.exe"C:\Users\Admin\AppData\Local\Temp\Plague crack\Client.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2972
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5390d34e903b86af3619fd35dd30378c6
SHA10e2fedee3f816ae525643dd61d3841c57f99803a
SHA256d5a59b3315fce1989e6681262328e355f228a0691cef9b693d8b721c88830d1b
SHA512410f7d82cc51fd5ef4aef8d2cecbaebd833d600f2d1c942846302a6cce3f9cdf9823fcfd9b9daa7cf1988eb07c36dc7e3a240eaad1f0d3315270031129a2cedd