Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/01/2025, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d.exe
Resource
win10v2004-20241007-en
General
-
Target
6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d.exe
-
Size
30KB
-
MD5
19de48e4e81f875006c35199f29f0f11
-
SHA1
9c49296219e43eb7ee1cbe278b3eb57939b15b59
-
SHA256
6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d
-
SHA512
57555951d496e1e8fbd9e6ae0f7b76630a2d61d665ce19da1a89c330d4cc3fea7bbd9f91f88e38eb93e62a6b11f221844873f6d0af751f940fff9aecad487a7b
-
SSDEEP
768:ZWN1SPXImFO2n8dPiXVBTX6Cjs2x3i7jMCP8/qg/vE1M:ZW7jmFZ8dPkfTK5286/qg/v2M
Malware Config
Extracted
njrat
0.7d
HacKed
meroelbob213.ddns.net:1177
200f5d46ed258f031642c1880205412e
-
reg_key
200f5d46ed258f031642c1880205412e
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2800 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2404 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\200f5d46ed258f031642c1880205412e = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\200f5d46ed258f031642c1880205412e = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe Token: 33 2404 server.exe Token: SeIncBasePriorityPrivilege 2404 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2404 2244 6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d.exe 31 PID 2244 wrote to memory of 2404 2244 6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d.exe 31 PID 2244 wrote to memory of 2404 2244 6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d.exe 31 PID 2404 wrote to memory of 2800 2404 server.exe 32 PID 2404 wrote to memory of 2800 2404 server.exe 32 PID 2404 wrote to memory of 2800 2404 server.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d.exe"C:\Users\Admin\AppData\Local\Temp\6bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2800
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30KB
MD519de48e4e81f875006c35199f29f0f11
SHA19c49296219e43eb7ee1cbe278b3eb57939b15b59
SHA2566bff62f418c98855248ac7e0c87bbd892a7ad17aa03676804196daf31dd04f6d
SHA51257555951d496e1e8fbd9e6ae0f7b76630a2d61d665ce19da1a89c330d4cc3fea7bbd9f91f88e38eb93e62a6b11f221844873f6d0af751f940fff9aecad487a7b