Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/11/2024, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe
Resource
win10v2004-20241007-en
General
-
Target
37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe
-
Size
863KB
-
MD5
cf620f72719d99e50a6a709fd6518f5c
-
SHA1
fc4263088c1a08d73cc4ff2f50b7d4e0637f42b5
-
SHA256
37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b
-
SHA512
2114b8976f4338a002be4ccb4ca2bb3c9e72b474af2f781c5a5b47908135680f47a0735e301dd9cb46da4046645d6e2fbef1fd7e03c123be12f9e8a99f677f03
-
SSDEEP
12288:q4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgav7o6Fq9MmCSm:q4lavt0LkLL9IMixoEgeajBFq9MmCSm
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:5552
0dc24807523d3cd24b54cd0996e4c49b
-
reg_key
0dc24807523d3cd24b54cd0996e4c49b
-
splitter
|'|'|
Signatures
-
Njrat family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2848 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2532 7069.exe 2500 server.exe -
Loads dropped DLL 4 IoCs
pid Process 2536 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe 2536 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe 2536 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe 2532 7069.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7069.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe Token: 33 2500 server.exe Token: SeIncBasePriorityPrivilege 2500 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2532 2536 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe 30 PID 2536 wrote to memory of 2532 2536 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe 30 PID 2536 wrote to memory of 2532 2536 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe 30 PID 2536 wrote to memory of 2532 2536 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe 30 PID 2532 wrote to memory of 2500 2532 7069.exe 31 PID 2532 wrote to memory of 2500 2532 7069.exe 31 PID 2532 wrote to memory of 2500 2532 7069.exe 31 PID 2532 wrote to memory of 2500 2532 7069.exe 31 PID 2500 wrote to memory of 2848 2500 server.exe 33 PID 2500 wrote to memory of 2848 2500 server.exe 33 PID 2500 wrote to memory of 2848 2500 server.exe 33 PID 2500 wrote to memory of 2848 2500 server.exe 33 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe"C:\Users\Admin\AppData\Local\Temp\37f025645ccb6d101c7110e06d8cc2332cd0ed72188be80fadc5efb7963b356b.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\7069\7069.exe"C:\Users\Admin\AppData\Local\Temp\7069\7069.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD587ecb116057477202650a2a1527a19db
SHA19b73ea528f3020eba4ebdc1a6d03ca62b9ba70e2
SHA25694626eea10b73145b62654f4dcd1c2157137bf3a3abbbb666167f480e516976c
SHA5122775e891a5f7cbab7d7f2847f424514ceebd1b3d6e0ae939db379bddc9eaec4cb207455c126646164951fed43585b93ae31b9a6957721255a7c413254ce11193