Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/02/2025, 14:34
Static task
static1
Behavioral task
behavioral1
Sample
9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe
Resource
win7-20240903-en
General
-
Target
9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe
-
Size
57KB
-
MD5
20e53a461803d01901cea182e1c4ba7e
-
SHA1
50e0744e4b869ecd84832f4aa02bbf1274833a8c
-
SHA256
9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a
-
SHA512
e6b55b8817360637406ba3f0c4eb7217b862588a3b548454d732c477887d50fb8156b6f53d0a35d57cb05dcc564fff2e5cfd5ea9290e7cd23f1457fb473fad4e
-
SSDEEP
1536:SXOMZigN9OUjTW404k9iMeaP3Ni7v3g912IPs2J:SXOMZHSUjiAk9RoLw91Ps2J
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Njrat family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2080 powershell.exe 2900 powershell.exe 2912 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1140 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 2140 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2080 powershell.exe 2900 powershell.exe 2912 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeDebugPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeDebugPrivilege 1140 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeDebugPrivilege 2140 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: 33 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe Token: SeIncBasePriorityPrivilege 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2080 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 31 PID 1924 wrote to memory of 2080 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 31 PID 1924 wrote to memory of 2080 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 31 PID 1924 wrote to memory of 2900 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 33 PID 1924 wrote to memory of 2900 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 33 PID 1924 wrote to memory of 2900 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 33 PID 1924 wrote to memory of 2912 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 35 PID 1924 wrote to memory of 2912 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 35 PID 1924 wrote to memory of 2912 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 35 PID 1924 wrote to memory of 2628 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 37 PID 1924 wrote to memory of 2628 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 37 PID 1924 wrote to memory of 2628 1924 9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe 37 PID 2868 wrote to memory of 1140 2868 taskeng.exe 40 PID 2868 wrote to memory of 1140 2868 taskeng.exe 40 PID 2868 wrote to memory of 1140 2868 taskeng.exe 40 PID 2868 wrote to memory of 2140 2868 taskeng.exe 41 PID 2868 wrote to memory of 2140 2868 taskeng.exe 41 PID 2868 wrote to memory of 2140 2868 taskeng.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe"C:\Users\Admin\AppData\Local\Temp\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a" /tr "C:\ProgramData\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2628
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DA6F9421-8BAC-4CE8-96D6-3FB5519FC33B} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\ProgramData\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exeC:\ProgramData\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
-
C:\ProgramData\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exeC:\ProgramData\9e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD520e53a461803d01901cea182e1c4ba7e
SHA150e0744e4b869ecd84832f4aa02bbf1274833a8c
SHA2569e6da0d7af683c5f01bf8b869fffecc808833f56dc5cf834690a933a811ed38a
SHA512e6b55b8817360637406ba3f0c4eb7217b862588a3b548454d732c477887d50fb8156b6f53d0a35d57cb05dcc564fff2e5cfd5ea9290e7cd23f1457fb473fad4e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56e7a9efdfada5cf92045a2abc3d05d75
SHA125f540d1dc1f9e0a152fef3125a7af32bacc7659
SHA2567155c5c9de033448b3dd7e9e7629ee7d336d946699f7b51308d92a80a437c549
SHA512a65673bf2ff55c05e486602cac44c8d90ac736f1f9b11fe90a1ea1f1e31ced85ac8a7ace1fc1956591aeaee43f0405b880a056f5f53903a2431847329a34dd07