Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1802s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/07/2024, 11:25
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
New Client.exe
Resource
win10-20240404-en
General
-
Target
New Client.exe
-
Size
65KB
-
MD5
286eec8031073675f717eedd89f0aec2
-
SHA1
60949f13b977bee5535cf4f730b498c7046294d1
-
SHA256
742a164e003c21a29bfccdfa1145a8c842acef13534452052599cac7689b1327
-
SHA512
1f8f7ef10395958012b8410715a7c3f415920f882c790bfe3c778a9b7009be0622015ad30fa3190a321d4c963da6e8cf7f3373c27cf26b40d03fe3a4b843de66
-
SSDEEP
1536:W9awkWoN36tlQviFw1YARlBnvbKfLteF3nLrB9z3nCaF9beS9vM:W9awkWoN36tlQviFCrnBn+fWl9zSaF9y
Malware Config
Extracted
njrat
Platinum
долбаеб
127.0.0.1:37615
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url Client.exe -
Executes dropped EXE 1 IoCs
pid Process 1436 Client.exe -
Loads dropped DLL 1 IoCs
pid Process 2292 New Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .." Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .." Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1436 Client.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe Token: SeIncBasePriorityPrivilege 1436 Client.exe Token: 33 1436 Client.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2292 wrote to memory of 1436 2292 New Client.exe 30 PID 2292 wrote to memory of 1436 2292 New Client.exe 30 PID 2292 wrote to memory of 1436 2292 New Client.exe 30 PID 2292 wrote to memory of 1436 2292 New Client.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\Client.exe"C:\Users\Admin\Client.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5286eec8031073675f717eedd89f0aec2
SHA160949f13b977bee5535cf4f730b498c7046294d1
SHA256742a164e003c21a29bfccdfa1145a8c842acef13534452052599cac7689b1327
SHA5121f8f7ef10395958012b8410715a7c3f415920f882c790bfe3c778a9b7009be0622015ad30fa3190a321d4c963da6e8cf7f3373c27cf26b40d03fe3a4b843de66