Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 12:18
Static task
static1
Behavioral task
behavioral1
Sample
5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
Resource
win10v2004-20241007-en
General
-
Target
5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe
-
Size
56KB
-
MD5
62554290b10d37c8426531078482e7ff
-
SHA1
0fa75fd1a5f182de0d6ff56839c657184eeaeaff
-
SHA256
5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2
-
SHA512
c51249f214984cd5da9af417906a13334dc28d264a08d02963975380fbb3f4b9b9f83fe992767ac0cd9574999a2f36542ed25ee38e193fa7b83cc6283d7ae1d3
-
SSDEEP
1536:XvvqylRHMH/Jtakr8KCxEhDYcEb08+D9V2vPscWu:fvVa+krSxuDIvi9+Psbu
Malware Config
Signatures
-
Njrat family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2908 powershell.exe 1376 powershell.exe 1744 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 896 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2656 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 2640 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe -
Loads dropped DLL 3 IoCs
pid Process 1972 taskeng.exe 1972 taskeng.exe 1972 taskeng.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2908 powershell.exe 1376 powershell.exe 1744 powershell.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeDebugPrivilege 2656 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeDebugPrivilege 2640 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: 33 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe Token: SeIncBasePriorityPrivilege 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2936 wrote to memory of 2908 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 31 PID 2936 wrote to memory of 2908 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 31 PID 2936 wrote to memory of 2908 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 31 PID 2936 wrote to memory of 1376 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 33 PID 2936 wrote to memory of 1376 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 33 PID 2936 wrote to memory of 1376 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 33 PID 2936 wrote to memory of 1744 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 35 PID 2936 wrote to memory of 1744 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 35 PID 2936 wrote to memory of 1744 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 35 PID 2936 wrote to memory of 1708 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 37 PID 2936 wrote to memory of 1708 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 37 PID 2936 wrote to memory of 1708 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 37 PID 2936 wrote to memory of 896 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 39 PID 2936 wrote to memory of 896 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 39 PID 2936 wrote to memory of 896 2936 5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe 39 PID 1972 wrote to memory of 2656 1972 taskeng.exe 42 PID 1972 wrote to memory of 2656 1972 taskeng.exe 42 PID 1972 wrote to memory of 2656 1972 taskeng.exe 42 PID 1972 wrote to memory of 2640 1972 taskeng.exe 43 PID 1972 wrote to memory of 2640 1972 taskeng.exe 43 PID 1972 wrote to memory of 2640 1972 taskeng.exe 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe"C:\Users\Admin\AppData\Local\Temp\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2" /tr "C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1708
-
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe" "5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:896
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {AC922870-B78F-4345-A597-B299E787AC46} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exeC:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exeC:\ProgramData\5177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50afc0bb6e9f2695508854fb8771a9417
SHA14f6574816bbed91ef44eab61040d5126e82226cb
SHA256197efa79f2a452be13fb5f44138e884f0d7fbd1e24c767619951f966cd6c522d
SHA51227d41f5d20c2b2a845aff0ab7712e69684f075534047d558eb574d01a61ba1052ba8cf16130a99247dc0cf41ae8ca066235188cce5211519607525ecf3e00007
-
Filesize
56KB
MD562554290b10d37c8426531078482e7ff
SHA10fa75fd1a5f182de0d6ff56839c657184eeaeaff
SHA2565177aff79da3444872282639285c0128da3450933101716809ed9bbe3bf9bbb2
SHA512c51249f214984cd5da9af417906a13334dc28d264a08d02963975380fbb3f4b9b9f83fe992767ac0cd9574999a2f36542ed25ee38e193fa7b83cc6283d7ae1d3