Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/02/2025, 02:58
Static task
static1
Behavioral task
behavioral1
Sample
0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe
Resource
win7-20240903-en
General
-
Target
0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe
-
Size
72KB
-
MD5
f52133dd61f5a0001aa4a89809894a17
-
SHA1
9099ce1cbd442ba584cb06a87ef9bec77abbf093
-
SHA256
0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3
-
SHA512
8dbe8e41e8fd6057cc72ba69263b3f35690eadb88b6c3f94fbaa9789d40920be7e2e2cb3d4ef5a7c18a820e7f272472067869ff34495a30b32c301834349a32c
-
SSDEEP
1536:D2CPAabgGGjSBekWDbSHqtPTOt3tIUBGqqocBQN9f2xPs7aW:iC42xGj7kWIqtPTOtdVBGq+g9qPs+W
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Njrat family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2804 powershell.exe 2744 powershell.exe 2344 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 2372 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 2592 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2804 powershell.exe 2744 powershell.exe 2344 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2344 powershell.exe Token: SeDebugPrivilege 2372 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe Token: SeDebugPrivilege 2592 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1804 wrote to memory of 2804 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 32 PID 1804 wrote to memory of 2804 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 32 PID 1804 wrote to memory of 2804 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 32 PID 1804 wrote to memory of 2744 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 34 PID 1804 wrote to memory of 2744 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 34 PID 1804 wrote to memory of 2744 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 34 PID 1804 wrote to memory of 2344 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 36 PID 1804 wrote to memory of 2344 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 36 PID 1804 wrote to memory of 2344 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 36 PID 1804 wrote to memory of 1088 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 38 PID 1804 wrote to memory of 1088 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 38 PID 1804 wrote to memory of 1088 1804 0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe 38 PID 1684 wrote to memory of 2372 1684 taskeng.exe 41 PID 1684 wrote to memory of 2372 1684 taskeng.exe 41 PID 1684 wrote to memory of 2372 1684 taskeng.exe 41 PID 1684 wrote to memory of 2592 1684 taskeng.exe 42 PID 1684 wrote to memory of 2592 1684 taskeng.exe 42 PID 1684 wrote to memory of 2592 1684 taskeng.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe"C:\Users\Admin\AppData\Local\Temp\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3" /tr "C:\ProgramData\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1088
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4A5842BA-44FD-4563-A923-0DED17955275} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\ProgramData\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exeC:\ProgramData\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\ProgramData\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exeC:\ProgramData\0d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5f52133dd61f5a0001aa4a89809894a17
SHA19099ce1cbd442ba584cb06a87ef9bec77abbf093
SHA2560d936f1998c4af40879e795549e5ff68682c7d9b884fb0cc0c135c30348292d3
SHA5128dbe8e41e8fd6057cc72ba69263b3f35690eadb88b6c3f94fbaa9789d40920be7e2e2cb3d4ef5a7c18a820e7f272472067869ff34495a30b32c301834349a32c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD575506e2bdde917d97e901e47af4b2a86
SHA182b1da09836c232c59eb07b6b9d0bf589cb218f4
SHA256ca240602c9c0c147eece103ccb5a4a43b509727ab36bf65a055edfe69c753417
SHA512bdf7b974455991ae06fc84dbb23b0578dc4138475de4fc4bf89b14d0028b84726331ae433242567603d4428c6b6d1066caabb5071095d58e6224b9a4c000cb92