Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
06/02/2025, 06:26
250206-g67zraxqer 10Analysis
-
max time kernel
899s -
max time network
846s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/02/2025, 06:26
General
-
Target
New Client.exe
-
Size
165KB
-
MD5
9630bbe3d02980622c90a9cd2a987eb7
-
SHA1
167876d99b407fe3c13be6e44cf06d8561e60f12
-
SHA256
72a330fe81060fe64bc103e1ea36ac25139046fe79df9fdc1fb52da26a7024a1
-
SHA512
52dabbd3b25e2fa996398fd7d964a3a3ce340613c86c4c74586d8597ccc7b086151e138e39bcc556a8920d42ae8d4b7da2b97fbcf8c7a09900110813e702e379
-
SSDEEP
3072:ZS65y/kmEmnzbd5Kx+UlQ75eJ7bNPIDEtTLUNbgEwh27Qjj:ZSugUaMeQlLcbSh272
Malware Config
Signatures
-
Njrat family
-
Executes dropped EXE 1 IoCs
pid Process 2628 Client.exe -
Loads dropped DLL 1 IoCs
pid Process 1668 New Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2628 Client.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe Token: SeIncBasePriorityPrivilege 2628 Client.exe Token: 33 2628 Client.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1668 wrote to memory of 2628 1668 New Client.exe 31 PID 1668 wrote to memory of 2628 1668 New Client.exe 31 PID 1668 wrote to memory of 2628 1668 New Client.exe 31 PID 1668 wrote to memory of 2628 1668 New Client.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD59630bbe3d02980622c90a9cd2a987eb7
SHA1167876d99b407fe3c13be6e44cf06d8561e60f12
SHA25672a330fe81060fe64bc103e1ea36ac25139046fe79df9fdc1fb52da26a7024a1
SHA51252dabbd3b25e2fa996398fd7d964a3a3ce340613c86c4c74586d8597ccc7b086151e138e39bcc556a8920d42ae8d4b7da2b97fbcf8c7a09900110813e702e379