Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1802s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29/07/2024, 11:25
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
New Client.exe
Resource
win10-20240404-en
General
-
Target
New Client.exe
-
Size
65KB
-
MD5
286eec8031073675f717eedd89f0aec2
-
SHA1
60949f13b977bee5535cf4f730b498c7046294d1
-
SHA256
742a164e003c21a29bfccdfa1145a8c842acef13534452052599cac7689b1327
-
SHA512
1f8f7ef10395958012b8410715a7c3f415920f882c790bfe3c778a9b7009be0622015ad30fa3190a321d4c963da6e8cf7f3373c27cf26b40d03fe3a4b843de66
-
SSDEEP
1536:W9awkWoN36tlQviFw1YARlBnvbKfLteF3nLrB9z3nCaF9beS9vM:W9awkWoN36tlQviFCrnBn+fWl9zSaF9y
Malware Config
Extracted
njrat
Platinum
долбаеб
127.0.0.1:37615
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url Client.exe -
Executes dropped EXE 1 IoCs
pid Process 32 Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .." Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .." Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 32 Client.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe Token: SeIncBasePriorityPrivilege 32 Client.exe Token: 33 32 Client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1124 wrote to memory of 32 1124 New Client.exe 75 PID 1124 wrote to memory of 32 1124 New Client.exe 75 PID 1124 wrote to memory of 32 1124 New Client.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\Client.exe"C:\Users\Admin\Client.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:32
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5286eec8031073675f717eedd89f0aec2
SHA160949f13b977bee5535cf4f730b498c7046294d1
SHA256742a164e003c21a29bfccdfa1145a8c842acef13534452052599cac7689b1327
SHA5121f8f7ef10395958012b8410715a7c3f415920f882c790bfe3c778a9b7009be0622015ad30fa3190a321d4c963da6e8cf7f3373c27cf26b40d03fe3a4b843de66