Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 10:23
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
a9ba2416df448c5f3b36581ecfa4cd31
-
SHA1
105592c84c83cbf4e6f7b6978ecb6d37c99440b7
-
SHA256
b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf
-
SHA512
456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3
-
SSDEEP
768:+Y3DCdhWXxyFcxovUKUJuROprXtgN8eYhYbmXxrjEtCdnl2pi1Rz4Rk3GsGdpQgM:hCzWhIUKcuOJXPhBjEwzGi1dDiDQgS
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
127.0.0.1:5513
67364a37f43593883a7b70eb2426799a
-
reg_key
67364a37f43593883a7b70eb2426799a
-
splitter
|'|'|
Signatures
-
Njrat family
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 4964 netsh.exe 2412 netsh.exe 4488 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67364a37f43593883a7b70eb2426799aWindows Update.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security Update.exe Server.exe -
Executes dropped EXE 2 IoCs
pid Process 3156 StUpdate.exe 4760 StUpdate.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StUpdate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1120 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe 1000 Server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1000 Server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe Token: 33 1000 Server.exe Token: SeIncBasePriorityPrivilege 1000 Server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1000 wrote to memory of 4964 1000 Server.exe 82 PID 1000 wrote to memory of 4964 1000 Server.exe 82 PID 1000 wrote to memory of 4964 1000 Server.exe 82 PID 1000 wrote to memory of 4488 1000 Server.exe 84 PID 1000 wrote to memory of 4488 1000 Server.exe 84 PID 1000 wrote to memory of 4488 1000 Server.exe 84 PID 1000 wrote to memory of 2412 1000 Server.exe 85 PID 1000 wrote to memory of 2412 1000 Server.exe 85 PID 1000 wrote to memory of 2412 1000 Server.exe 85 PID 1000 wrote to memory of 1120 1000 Server.exe 86 PID 1000 wrote to memory of 1120 1000 Server.exe 86 PID 1000 wrote to memory of 1120 1000 Server.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4964
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4488
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2412
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1120
-
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3156
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4760
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408B
MD5661cab77d3b907e8057f2e689e995af3
SHA15d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c
SHA2568f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2
SHA5122523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67
-
Filesize
93KB
MD5a9ba2416df448c5f3b36581ecfa4cd31
SHA1105592c84c83cbf4e6f7b6978ecb6d37c99440b7
SHA256b12ace477963fdde7e7b3c3b81dc01d585d87097e68bed90f5dd41077556b4bf
SHA512456ffb46cf5d914108a68292e1f9e73665e7dd3905015c76709ecc954d02b50d9dfdd758c2178791d75aa1010b7c0f2e0cf92659f2471a227497343477e6c9f3
-
Filesize
5B
MD5c60feebd511c87b86dea130692995a0f
SHA1d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a
SHA256632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511
SHA512bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c