Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
10s -
max time network
11s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 13:20
Behavioral task
behavioral1
Sample
SharkHack.exe
Resource
win7-20241010-en
General
-
Target
SharkHack.exe
-
Size
3.9MB
-
MD5
1132637cde57bdbd23fd05694713fb94
-
SHA1
1625fe2acadbc9c8a400c69e1ca7e8afd97b56eb
-
SHA256
5cdc56dfe73c53516cb619f44147b0f8535ab68575a8071008ad59599d5c1cb6
-
SHA512
65bd5fdb631b33964038b972d71a4d17fa8290b3a2052fd88097e66e7a3af6fa0a7f8e1cde0ebe5867c6b5e8e923f1f6143f6f9d2dc4a0770fb785238d1f130f
-
SSDEEP
49152:SFnCO88whwjbAlR/6QhDEvebZVLRbjgQjzK5ppnrLn6XBSOvdsW:9hTbDzhfgQSp9LSBnvdsW
Malware Config
Signatures
-
Njrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation SharkHack.exe -
Executes dropped EXE 2 IoCs
pid Process 2028 SharkHack1.exe 3624 virus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language virus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SharkHack.exe -
Kills process with taskkill 2 IoCs
pid Process 1356 TASKKILL.exe 2944 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe 3624 virus.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3624 virus.exe Token: SeDebugPrivilege 1356 TASKKILL.exe Token: SeDebugPrivilege 2944 TASKKILL.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4120 wrote to memory of 2028 4120 SharkHack.exe 83 PID 4120 wrote to memory of 2028 4120 SharkHack.exe 83 PID 4120 wrote to memory of 3624 4120 SharkHack.exe 84 PID 4120 wrote to memory of 3624 4120 SharkHack.exe 84 PID 4120 wrote to memory of 3624 4120 SharkHack.exe 84 PID 3624 wrote to memory of 2944 3624 virus.exe 85 PID 3624 wrote to memory of 2944 3624 virus.exe 85 PID 3624 wrote to memory of 2944 3624 virus.exe 85 PID 3624 wrote to memory of 1356 3624 virus.exe 86 PID 3624 wrote to memory of 1356 3624 virus.exe 86 PID 3624 wrote to memory of 1356 3624 virus.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\SharkHack.exe"C:\Users\Admin\AppData\Local\Temp\SharkHack.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\SharkHack1.exe"C:\Users\Admin\AppData\Local\Temp\SharkHack1.exe"2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\virus.exe"C:\Users\Admin\AppData\Local\Temp\virus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD57751bb858985d66226a941ace018c503
SHA1362db42327e8d1816ad81d5a091cefca22369905
SHA256e657bb5a0896c58b62b928e59f68273182ee37105fb1068687dde462193e7fe4
SHA5120bb79e1bf67853ef5138ede1d90080181432b77ba02577d186013524ad5b1fc269e0a796bc367706a309bb4217881312c94afaac6c7ce6b4013af18d438e0d87
-
Filesize
65KB
MD5fc84d53be6875a39382eea9adb353c67
SHA1a96e17f51749b8fd32d913bf925e733149628c43
SHA2567a65e04266f22e0d68e02c6b557d22ba08c3b89d64eb5296a91e2c45e72e4203
SHA5122b63bf65d9aa0922a163c4aaf0d8751d366020661695a255d78b8988e55308f0f0eac75c1781f878ae57c10b1bb1eb42b18559a8c85a464effcfab14c65ac8b1