Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
116s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 10:22
Static task
static1
Behavioral task
behavioral1
Sample
5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637fN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637fN.exe
Resource
win10v2004-20250129-en
General
-
Target
5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637fN.exe
-
Size
237KB
-
MD5
284078d25010e8a2f1bf524cf8bdae00
-
SHA1
57d3c47af3b14bb08bcca7231257ee231e9114b1
-
SHA256
5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637f
-
SHA512
3534ba34461b6d6d43b4d04cb4084fc0bc8ab4d621fe157d9ae60e0a1efbc97b7303acce88c26aaefb48a6e631055dadd0a8a328708dc04dee405d724354cf9f
-
SSDEEP
3072:F/ItRZp06PJHbIxs+VGSYzlg+lAMSpBV4W/E+z1IQwqznHpYQ5czMWDBoWkb7RKO:zs+V7s6+l+yWD+QwqzHqQk27PJE
Malware Config
Extracted
njrat
0.6.4
HacKed
payment-rivers.gl.at.ply.gg:15267
392725c4d836f07a62148783f8b913f2
-
reg_key
392725c4d836f07a62148783f8b913f2
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2796 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2444 Microsoft Host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe 2444 Microsoft Host.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2444 Microsoft Host.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2612 wrote to memory of 2444 2612 5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637fN.exe 31 PID 2612 wrote to memory of 2444 2612 5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637fN.exe 31 PID 2612 wrote to memory of 2444 2612 5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637fN.exe 31 PID 2444 wrote to memory of 2796 2444 Microsoft Host.exe 32 PID 2444 wrote to memory of 2796 2444 Microsoft Host.exe 32 PID 2444 wrote to memory of 2796 2444 Microsoft Host.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637fN.exe"C:\Users\Admin\AppData\Local\Temp\5086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\Microsoft Host.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Host.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft Host.exe" "Microsoft Host.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD5284078d25010e8a2f1bf524cf8bdae00
SHA157d3c47af3b14bb08bcca7231257ee231e9114b1
SHA2565086e1530caa10af3e26539b10a107047f70901625962000f66373417ad3637f
SHA5123534ba34461b6d6d43b4d04cb4084fc0bc8ab4d621fe157d9ae60e0a1efbc97b7303acce88c26aaefb48a6e631055dadd0a8a328708dc04dee405d724354cf9f