Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10/09/2024, 22:22
Static task
static1
Behavioral task
behavioral1
Sample
d0e8c16e6646f3eaaf78d273139f2df0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
d0e8c16e6646f3eaaf78d273139f2df0N.exe
Resource
win10v2004-20240802-en
General
-
Target
d0e8c16e6646f3eaaf78d273139f2df0N.exe
-
Size
116KB
-
MD5
d0e8c16e6646f3eaaf78d273139f2df0
-
SHA1
6e6758b239b8cab23e04d208c0d3702cfb7c8b9b
-
SHA256
40c7945ff7ba7aad8001b48f637996eb473dab74d825e87f7c4494a162af2254
-
SHA512
a620c5c3df8351dba88308d3334ea43808566dcdfc45327655ef68cbccb61de5198727db56a41badd97d06b5c6b38c82b3ff85f4e88f301634f81009b84709b0
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIR:P5eznsjsguGDFqGZ2rDIR
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2544 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 324 chargeable.exe 2868 chargeable.exe -
Loads dropped DLL 2 IoCs
pid Process 2188 d0e8c16e6646f3eaaf78d273139f2df0N.exe 2188 d0e8c16e6646f3eaaf78d273139f2df0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" d0e8c16e6646f3eaaf78d273139f2df0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d0e8c16e6646f3eaaf78d273139f2df0N.exe" d0e8c16e6646f3eaaf78d273139f2df0N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 324 set thread context of 2868 324 chargeable.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0e8c16e6646f3eaaf78d273139f2df0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2188 wrote to memory of 324 2188 d0e8c16e6646f3eaaf78d273139f2df0N.exe 30 PID 2188 wrote to memory of 324 2188 d0e8c16e6646f3eaaf78d273139f2df0N.exe 30 PID 2188 wrote to memory of 324 2188 d0e8c16e6646f3eaaf78d273139f2df0N.exe 30 PID 2188 wrote to memory of 324 2188 d0e8c16e6646f3eaaf78d273139f2df0N.exe 30 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 324 wrote to memory of 2868 324 chargeable.exe 31 PID 2868 wrote to memory of 2544 2868 chargeable.exe 32 PID 2868 wrote to memory of 2544 2868 chargeable.exe 32 PID 2868 wrote to memory of 2544 2868 chargeable.exe 32 PID 2868 wrote to memory of 2544 2868 chargeable.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0e8c16e6646f3eaaf78d273139f2df0N.exe"C:\Users\Admin\AppData\Local\Temp\d0e8c16e6646f3eaaf78d273139f2df0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2544
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5732cfeb76b91c4d13978a00b8c666ed7
SHA10c57f76436701f4d51397d1d4e86337dd9ab1964
SHA2569fab9fc0a1da813e6ddb93904c1fcfa6546cfbe70747ff8468ddd14d2552dbd2
SHA5122b8618e823355a4fa646d51a753f67d34bd7b14367d46fa187f2294af7c2794c6cdee664ea570862757a5f1c99dfcb67a7d4ddf8389d07dd8d696fe55aa538bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e6a1577846952c5ed5ccbc115c36024f
SHA1f79fbc5a2e0cbf742da0268e04e3fb69d46903b7
SHA25631f7ab29d25278075804e0fac9029a90d008317a4ace90dafca83ecd60b23ab5
SHA51253413dd48a7cd086f6fa11b38b68b5e84cc1f2586f4e66a41814c04a2fb6296a9d1a6344aa2f62f55b986a53dea4a54c2a0e9f1e7c89d0c19a64eef67b3a35f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c8feb5f8d0a3a1743ab3e92a83f5fd8a
SHA1b3370d95c33077ed8d7e46236c71385d2a7e40c9
SHA2569b1754e153775be3eb096814d42b8f8ebaba8ae14c85af7782738f08d500f870
SHA512598978e3f9d286ba61dca12414bcfd3626707c3538cd5f905a993b8bdd2d10f73c8404754fb3e31f5939cc9bb6f4d5c9b255a479c61607a8b61f0bfba172f54b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD539c9ba379f65dc104c9c620105fa09bb
SHA18fb9a1ca8705f064713a8d55cf3443d9d2fd554d
SHA256b5fae5c882c3a97631bc5d52b9744dcfcbb89ff56f0c0a3f9cf4343bde0b8b52
SHA512e037a7a5459a9a652fe8bb355628b05b15aabea9c58355b8923b294effd4fa2365d283f109f1df32d70377d6cba1abd09e9773f9590ff2cf1a1425a0596d2ad8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize252B
MD5b02b2c1864c44772bda3b8c8c8de4e55
SHA140eb349da609dc9accd4e2aa5a53787c720b50de
SHA25673ccdf14e5d6a9e2988f692f333f2e7a10be574ac2f526b9cf3de097a362aa87
SHA512c8fade8f78c07125395304282d890de3806cb0b595dcad6fdf94b88ab42e09c7fc35004a69305f580fbd101e7fffe31789759b007050f5e48fb151a700295a4c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
116KB
MD5056c286d15cba6daf31ea3df3d2f9d8d
SHA1dccfec60fea93851bec8a43b9cf436a0cc97d852
SHA25646f0b0886e3a648e32355270f7816054fb90acad4c38be31b2facf2a8d5c0a44
SHA51220ec8f081bfbd84b670695be102d37ff5416dc8cb58a444aabb744e89e14223e709408e0deb9f6de4d2e70f8b7b17f651e4bc8d13bb393075683827651671174