Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/12/2024, 19:05
Behavioral task
behavioral1
Sample
Payload.exe
Resource
win7-20240903-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Payload.exe
Resource
win10v2004-20241007-en
22 signatures
150 seconds
General
-
Target
Payload.exe
-
Size
55KB
-
MD5
843cc097164266c5c152f19a41fc5be9
-
SHA1
21cda33595dff7a078f2a9c57ddeebc798cb18a3
-
SHA256
3a769894ceb07a4c0e334562acc0d1c3e1523afee2b74bb8f0e794099889b379
-
SHA512
0130baf712d324b65fd60ca83a6e9931ff13c1a520cc40e77ac7222da3939cd258e314a06f8294a85c6f9c693ed79231649752bf1abf8d1e5db14e39632ed915
-
SSDEEP
1536:BWoADn8fLNG/SbrKDD3wsNMDbXExI3pm4Nm:zADncsqbeDD3wsNMDbXExI3pm
Malware Config
Signatures
-
Njrat family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: SeDebugPrivilege 2560 taskmgr.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe Token: 33 2460 Payload.exe Token: SeIncBasePriorityPrivilege 2460 Payload.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe 2560 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560