Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/12/2024, 14:14
Static task
static1
Behavioral task
behavioral1
Sample
d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe
Resource
win10v2004-20241007-en
General
-
Target
d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe
-
Size
3.2MB
-
MD5
ee6463bd6ab5a0299ce45091cc84f703
-
SHA1
4ba4d91c7db4d895f3cfbb684140a0463a472a5d
-
SHA256
d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5
-
SHA512
a440ee567a831193ce0e8001d08cdd5b46b6d94a19b64f7ceb7cb0037ccb99d3c5390d79686f9557800ab73789df4a2c75b72349b799de541c94ab27f6b53a5e
-
SSDEEP
98304:ZtiwNlunVqirIBmG9Li2JWrV2yM0SlNevauUaO/tCI4:Zt9unlrIBT9LVJoV2yM0SlNevwCV
Malware Config
Extracted
njrat
0.7d
Owned
hakim32.ddns.net:2000
167.71.56.116:22342
24983f03fb74576bbc5af6aa1085b23d
-
reg_key
24983f03fb74576bbc5af6aa1085b23d
-
splitter
|'|'|
Extracted
quasar
1.4.1
Axotrojan
eu-central-7075.packetriot.net:22342
167.71.56.116:22342
34892381-1dda-4b06-87a2-3e413b932ac8
-
encryption_key
4B13DC71783277444E966E1D66F9171ABFC15E88
-
install_name
Clientformyslut.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Axo startup
-
subdirectory
SubDir
Signatures
-
Njrat family
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x000800000001686c-12.dat family_quasar behavioral1/memory/1312-19-0x0000000000070000-0x0000000000394000-memory.dmp family_quasar behavioral1/memory/2736-37-0x0000000000AA0000-0x0000000000DC4000-memory.dmp family_quasar -
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2668 netsh.exe 1296 netsh.exe 1144 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24983f03fb74576bbc5af6aa1085b23dWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24983f03fb74576bbc5af6aa1085b23dWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 4 IoCs
pid Process 1708 pkriot3.exe 1312 pkriot1.exe 2340 server.exe 2736 Clientformyslut.exe -
Loads dropped DLL 5 IoCs
pid Process 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 1708 pkriot3.exe 1708 pkriot3.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Clientformyslut.exe pkriot1.exe File opened for modification C:\Windows\system32\SubDir\Clientformyslut.exe pkriot1.exe File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pkriot3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2192 schtasks.exe 2520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2128 powershell.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe 2340 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2340 server.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 1312 pkriot1.exe Token: SeDebugPrivilege 2736 Clientformyslut.exe Token: SeDebugPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe Token: 33 2340 server.exe Token: SeIncBasePriorityPrivilege 2340 server.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2736 Clientformyslut.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2128 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 28 PID 2408 wrote to memory of 2128 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 28 PID 2408 wrote to memory of 2128 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 28 PID 2408 wrote to memory of 2128 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 28 PID 2408 wrote to memory of 1708 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 30 PID 2408 wrote to memory of 1708 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 30 PID 2408 wrote to memory of 1708 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 30 PID 2408 wrote to memory of 1708 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 30 PID 2408 wrote to memory of 1312 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 31 PID 2408 wrote to memory of 1312 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 31 PID 2408 wrote to memory of 1312 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 31 PID 2408 wrote to memory of 1312 2408 d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe 31 PID 1312 wrote to memory of 2192 1312 pkriot1.exe 32 PID 1312 wrote to memory of 2192 1312 pkriot1.exe 32 PID 1312 wrote to memory of 2192 1312 pkriot1.exe 32 PID 1708 wrote to memory of 2340 1708 pkriot3.exe 34 PID 1708 wrote to memory of 2340 1708 pkriot3.exe 34 PID 1708 wrote to memory of 2340 1708 pkriot3.exe 34 PID 1708 wrote to memory of 2340 1708 pkriot3.exe 34 PID 1312 wrote to memory of 2736 1312 pkriot1.exe 35 PID 1312 wrote to memory of 2736 1312 pkriot1.exe 35 PID 1312 wrote to memory of 2736 1312 pkriot1.exe 35 PID 2736 wrote to memory of 2520 2736 Clientformyslut.exe 36 PID 2736 wrote to memory of 2520 2736 Clientformyslut.exe 36 PID 2736 wrote to memory of 2520 2736 Clientformyslut.exe 36 PID 2340 wrote to memory of 2668 2340 server.exe 38 PID 2340 wrote to memory of 2668 2340 server.exe 38 PID 2340 wrote to memory of 2668 2340 server.exe 38 PID 2340 wrote to memory of 2668 2340 server.exe 38 PID 2340 wrote to memory of 1296 2340 server.exe 40 PID 2340 wrote to memory of 1296 2340 server.exe 40 PID 2340 wrote to memory of 1296 2340 server.exe 40 PID 2340 wrote to memory of 1296 2340 server.exe 40 PID 2340 wrote to memory of 1144 2340 server.exe 42 PID 2340 wrote to memory of 1144 2340 server.exe 42 PID 2340 wrote to memory of 1144 2340 server.exe 42 PID 2340 wrote to memory of 1144 2340 server.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe"C:\Users\Admin\AppData\Local\Temp\d90fa1d7642354da268e0eadb417be46626fbe74e68364aa0a80a1ba08f017d5.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AdgBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AcABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAcQB1ACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\pkriot3.exe"C:\Users\Admin\AppData\Local\Temp\pkriot3.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2668
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1296
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1144
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\pkriot1.exe"C:\Users\Admin\AppData\Local\Temp\pkriot1.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Axo startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Clientformyslut.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2192
-
-
C:\Windows\system32\SubDir\Clientformyslut.exe"C:\Windows\system32\SubDir\Clientformyslut.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Axo startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Clientformyslut.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2520
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD555e2016fcb659bdf0f46a24ef2876609
SHA15afb69f26ddf1884372643a2b00d16a481fc7c26
SHA2563825fe6fd9e8754b3d4a374b8c73884647c6898d5e1220a0fe89b1a3dc8e35c4
SHA5124de0fb035b904bd2557d48aacfea53346748e0dbda86b710ee86796c374c37fd35e50f4d8b05cd1c058f95665894629f8848f4bce45378c00ced771baaea3e46
-
Filesize
5B
MD5850ad04adc35f6ec7809f0f70de8300c
SHA106387beffabdf4ea012664a1d2693862a5e5a181
SHA25659f6eeca3c022531b409b0dc1ea7c1d244ecc7af5b67a5600470b59cdbc04abe
SHA512fca8d80dcdc3a14a04e5ae665dfae9c7b915d4b52b6a24b271d4ad67d9c72c2485815dcb097721d952458857eda8c0edac23f997486a3a1936693b1a5bb35532
-
Filesize
3.1MB
MD59a3043abedc95a0a1c5d4fdb50e62d34
SHA12f432259c81f112905e24016191a1186e4fbdc88
SHA25618df830ce713c45edf04f76b23da7e5f1c57bcacd26b075ed94904da6bf94f74
SHA512fb7f692b1b035d732a175b40760baacc6f7ccfa88ca26da0f74eda2fb542a9e10c47c1309b60caf7169cb7a9035e8e2083ed5e5c2bc4292c9ef5e1c85ecf7c1c