Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
16/07/2024, 00:43
240716-a232nsxckr 1016/07/2024, 00:41
240716-a16q6szdmc 1016/07/2024, 00:38
240716-azamcazcpc 1015/07/2024, 20:46
240715-zkpv6a1dlh 10Analysis
-
max time kernel
1799s -
max time network
1796s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16/07/2024, 00:43
Behavioral task
behavioral1
Sample
0928f36599b47ba66582d1f5a5cb6fb0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
0928f36599b47ba66582d1f5a5cb6fb0N.exe
Resource
win10v2004-20240709-en
General
-
Target
0928f36599b47ba66582d1f5a5cb6fb0N.exe
-
Size
23KB
-
MD5
0928f36599b47ba66582d1f5a5cb6fb0
-
SHA1
bef519e4db670bbea44d8cba6cbf104050ae551d
-
SHA256
7833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0
-
SHA512
edf35a5457744d7792c8d4ea5d99e8e3beecef2a516a18f0296891d6f4baf3bf543cf00ba63a11aac5ad18af2567aa8781e840e339d80097d8e7a2e837b8ca3e
-
SSDEEP
384:/oWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZI2:Y7O89p2rRpcnuY
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.1.11:5552
7657c14284185fbd3fb108b43c7467ba
-
reg_key
7657c14284185fbd3fb108b43c7467ba
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2608 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2740 server.exe -
Loads dropped DLL 1 IoCs
pid Process 2696 0928f36599b47ba66582d1f5a5cb6fb0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2740 server.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe Token: SeIncBasePriorityPrivilege 2740 server.exe Token: 33 2740 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2696 wrote to memory of 2740 2696 0928f36599b47ba66582d1f5a5cb6fb0N.exe 30 PID 2696 wrote to memory of 2740 2696 0928f36599b47ba66582d1f5a5cb6fb0N.exe 30 PID 2696 wrote to memory of 2740 2696 0928f36599b47ba66582d1f5a5cb6fb0N.exe 30 PID 2696 wrote to memory of 2740 2696 0928f36599b47ba66582d1f5a5cb6fb0N.exe 30 PID 2740 wrote to memory of 2608 2740 server.exe 31 PID 2740 wrote to memory of 2608 2740 server.exe 31 PID 2740 wrote to memory of 2608 2740 server.exe 31 PID 2740 wrote to memory of 2608 2740 server.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\0928f36599b47ba66582d1f5a5cb6fb0N.exe"C:\Users\Admin\AppData\Local\Temp\0928f36599b47ba66582d1f5a5cb6fb0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2608
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD50928f36599b47ba66582d1f5a5cb6fb0
SHA1bef519e4db670bbea44d8cba6cbf104050ae551d
SHA2567833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0
SHA512edf35a5457744d7792c8d4ea5d99e8e3beecef2a516a18f0296891d6f4baf3bf543cf00ba63a11aac5ad18af2567aa8781e840e339d80097d8e7a2e837b8ca3e