Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 10:23
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
Server.exe
-
Size
93KB
-
MD5
a9ba2416df448c5f3b36581ecfa4cd31
-
SHA1
105592c84c83cbf4e6f7b6978ecb6d37c99440b7
-
SHA256
b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf
-
SHA512
456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3
-
SSDEEP
768:+Y3DCdhWXxyFcxovUKUJuROprXtgN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3GsGdpQgM:hCzWhIUKcuOJXPhBjEwzGi1dDiDQgS
Malware Config
Extracted
Family
njrat
Version
0.7d
Botnet
HacKed
C2
hakim32.ddns.net:2000
127.0.0.1:5513
Mutex
67364a37f43593883a7b70eb2426799a
Attributes
-
reg_key
67364a37f43593883a7b70eb2426799a
-
splitter
|'|'|
Signatures
-
Njrat family
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 1860 netsh.exe 2408 netsh.exe 2416 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe Server.exe -
Executes dropped EXE 2 IoCs
pid Process 3016 StUpdate.exe 2908 StUpdate.exe -
Loads dropped DLL 6 IoCs
pid Process 3016 StUpdate.exe 3016 StUpdate.exe 3016 StUpdate.exe 2908 StUpdate.exe 2908 StUpdate.exe 2908 StUpdate.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StUpdate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe 1856 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1856 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe Token: 33 1856 Server.exe Token: SeIncBasePriorityPrivilege 1856 Server.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1856 wrote to memory of 1860 1856 Server.exe 30 PID 1856 wrote to memory of 1860 1856 Server.exe 30 PID 1856 wrote to memory of 1860 1856 Server.exe 30 PID 1856 wrote to memory of 1860 1856 Server.exe 30 PID 1856 wrote to memory of 2408 1856 Server.exe 32 PID 1856 wrote to memory of 2408 1856 Server.exe 32 PID 1856 wrote to memory of 2408 1856 Server.exe 32 PID 1856 wrote to memory of 2408 1856 Server.exe 32 PID 1856 wrote to memory of 2416 1856 Server.exe 33 PID 1856 wrote to memory of 2416 1856 Server.exe 33 PID 1856 wrote to memory of 2416 1856 Server.exe 33 PID 1856 wrote to memory of 2416 1856 Server.exe 33 PID 1856 wrote to memory of 2444 1856 Server.exe 35 PID 1856 wrote to memory of 2444 1856 Server.exe 35 PID 1856 wrote to memory of 2444 1856 Server.exe 35 PID 1856 wrote to memory of 2444 1856 Server.exe 35 PID 3004 wrote to memory of 3016 3004 taskeng.exe 40 PID 3004 wrote to memory of 3016 3004 taskeng.exe 40 PID 3004 wrote to memory of 3016 3004 taskeng.exe 40 PID 3004 wrote to memory of 3016 3004 taskeng.exe 40 PID 3004 wrote to memory of 3016 3004 taskeng.exe 40 PID 3004 wrote to memory of 3016 3004 taskeng.exe 40 PID 3004 wrote to memory of 3016 3004 taskeng.exe 40 PID 3004 wrote to memory of 2908 3004 taskeng.exe 41 PID 3004 wrote to memory of 2908 3004 taskeng.exe 41 PID 3004 wrote to memory of 2908 3004 taskeng.exe 41 PID 3004 wrote to memory of 2908 3004 taskeng.exe 41 PID 3004 wrote to memory of 2908 3004 taskeng.exe 41 PID 3004 wrote to memory of 2908 3004 taskeng.exe 41 PID 3004 wrote to memory of 2908 3004 taskeng.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1860
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2408
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2444
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9C73A20F-DCC9-44C4-92D6-87D090D3A4F2} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2908
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5a9ba2416df448c5f3b36581ecfa4cd31
SHA1105592c84c83cbf4e6f7b6978ecb6d37c99440b7
SHA256b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf
SHA512456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3
-
Filesize
5B
MD5c60feebd511c87b86dea130692995a0f
SHA1d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a
SHA256632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511
SHA512bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c