Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
3B3RAP Leec...er.exe
windows7-x64
8B3RAP Leec...er.exe
windows10-2004-x64
7B3RAP Leec...et.dll
windows7-x64
1B3RAP Leec...et.dll
windows10-2004-x64
1NETFLIX Ch...ER.exe
windows7-x64
7NETFLIX Ch...ER.exe
windows10-2004-x64
7NETFLIX Ch...ER.exe
windows7-x64
7NETFLIX Ch...ER.exe
windows10-2004-x64
7NETFLIX Ch...er.dll
windows7-x64
1NETFLIX Ch...er.dll
windows10-2004-x64
1NETFLIX Ch...et.dll
windows7-x64
1NETFLIX Ch...et.dll
windows10-2004-x64
1Proxy Chec...ER.exe
windows7-x64
7Proxy Chec...ER.exe
windows10-2004-x64
7Proxy Chec...ER.exe
windows7-x64
8Proxy Chec...ER.exe
windows10-2004-x64
7Proxy Chec...ck.exe
windows7-x64
10Proxy Chec...ck.exe
windows10-2004-x64
10Proxy Chec...er.dll
windows7-x64
1Proxy Chec...er.dll
windows10-2004-x64
1Proxy Chec...et.dll
windows7-x64
1Proxy Chec...et.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 02:27
Static task
static1
Behavioral task
behavioral1
Sample
B3RAP Leecher v0.5/B3RAP Leecher.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
B3RAP Leecher v0.5/B3RAP Leecher.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
B3RAP Leecher v0.5/Leaf.xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
B3RAP Leecher v0.5/Leaf.xNet.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
NETFLIX Checker Account By X-KILLER/._cache_NETFLIX Checker Account By X-KILLER.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
NETFLIX Checker Account By X-KILLER/._cache_NETFLIX Checker Account By X-KILLER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
NETFLIX Checker Account By X-KILLER/NETFLIX Checker Account By X-KILLER.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
NETFLIX Checker Account By X-KILLER/NETFLIX Checker Account By X-KILLER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
NETFLIX Checker Account By X-KILLER/SkinSoft.VisualStyler.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
NETFLIX Checker Account By X-KILLER/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
NETFLIX Checker Account By X-KILLER/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
NETFLIX Checker Account By X-KILLER/xNet.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
Proxy Checker v0.2/._cache_Proxy Checker v0.2 By X-SLAYER.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
Proxy Checker v0.2/._cache_Proxy Checker v0.2 By X-SLAYER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
Proxy Checker v0.2/Proxy Checker v0.2 By X-SLAYER.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Proxy Checker v0.2/Proxy Checker v0.2 By X-SLAYER.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
Proxy Checker v0.2/SkinSoft.VisualStyler.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Proxy Checker v0.2/SkinSoft.VisualStyler.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
Proxy Checker v0.2/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Proxy Checker v0.2/xNet.dll
Resource
win10v2004-20240802-en
General
-
Target
Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
-
Size
1.1MB
-
MD5
c23fa9a76be0e91ae95ab347e68a8a17
-
SHA1
3e8fee7b1729113fa86d53e7eb7135b32d50da96
-
SHA256
b0356479bb707ba0be06277723150e0401960783d21ab1a97fe76d6723546022
-
SHA512
6634aac9cb6abbe348fe5befeb1218ed0937713570190a2a1ea05da1b959a17f722eeff5d27d3464ba3f3cf19986d1364cb73b71de76997d99df82ebdb3512eb
-
SSDEEP
12288:lMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9eZLtL0ERDyKj:lnsJ39LyjbJkQFMhmC+6GD9ItwERDF
Malware Config
Extracted
njrat
0.7 MultiHost
HacKed
fgtgd33333.ddns.net:1177
8746d62c81bb0c573a0a1086f9955c7b
-
reg_key
8746d62c81bb0c573a0a1086f9955c7b
-
splitter
|'|'|
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Proxy Checker v0.2 Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Synaptics.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation ._cache_Proxy Checker v0.2 Crack.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk svchost.exe -
Executes dropped EXE 6 IoCs
pid Process 3076 ._cache_Proxy Checker v0.2 Crack.exe 1204 Synaptics.exe 1260 ._cache_Synaptics.exe 2908 svchost.exe 2772 svchost.exe 1512 svchost.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Public\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" Proxy Checker v0.2 Crack.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Public\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Proxy Checker v0.2 Crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Proxy Checker v0.2 Crack.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Synaptics.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4444 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3540 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe Token: 33 2908 svchost.exe Token: SeIncBasePriorityPrivilege 2908 svchost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE 3540 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4344 wrote to memory of 3076 4344 Proxy Checker v0.2 Crack.exe 82 PID 4344 wrote to memory of 3076 4344 Proxy Checker v0.2 Crack.exe 82 PID 4344 wrote to memory of 1204 4344 Proxy Checker v0.2 Crack.exe 83 PID 4344 wrote to memory of 1204 4344 Proxy Checker v0.2 Crack.exe 83 PID 4344 wrote to memory of 1204 4344 Proxy Checker v0.2 Crack.exe 83 PID 1204 wrote to memory of 1260 1204 Synaptics.exe 84 PID 1204 wrote to memory of 1260 1204 Synaptics.exe 84 PID 3076 wrote to memory of 2908 3076 ._cache_Proxy Checker v0.2 Crack.exe 96 PID 3076 wrote to memory of 2908 3076 ._cache_Proxy Checker v0.2 Crack.exe 96 PID 2908 wrote to memory of 4444 2908 svchost.exe 99 PID 2908 wrote to memory of 4444 2908 svchost.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 Crack.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 Crack.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Public\svchost.exe"C:\Users\Public\svchost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Public\svchost.exe4⤵
- Scheduled Task/Job: Scheduled Task
PID:4444
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
PID:1260
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3540
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
PID:2772
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
PID:1512
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5c23fa9a76be0e91ae95ab347e68a8a17
SHA13e8fee7b1729113fa86d53e7eb7135b32d50da96
SHA256b0356479bb707ba0be06277723150e0401960783d21ab1a97fe76d6723546022
SHA5126634aac9cb6abbe348fe5befeb1218ed0937713570190a2a1ea05da1b959a17f722eeff5d27d3464ba3f3cf19986d1364cb73b71de76997d99df82ebdb3512eb
-
Filesize
499B
MD519359b866f8cbea2b65bc57d42d8b1fd
SHA1d9b303cda0a782d857a867f0b5bee4479fbf3653
SHA256529d693b41627b0af65ca3d9264092ed55db8fa585b44d547d98820c3d16db66
SHA512492de148153b38cc6f18c29b0c92fc3aa4321f84a2bab85fc11b18f766fdebfdbb3cf7f9a7a14b60e869dc0f13a43ea505d161bb86d7268487e43aed801d2ab3
-
Filesize
346KB
MD52c35cb3cc2e236e6d12a5e80c5ca8a08
SHA1fc213a4dd34fa096432850fc4ca899794f36f9d0
SHA256e7268ad15e40087bcae6d5c42f1c39d6e32456ff33c38b5a7ff876317b456c7b
SHA512ff4869b16402f0eb84dd8bec2fbaca170b55184c8e2ad10126e1b3b0a4e63fde27d63b89c6dd9679cbf94733a0e6ef52ecf36165430ed86fea95609c213c6455
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04