Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/02/2025, 19:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
-.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
-.exe
-
Size
293KB
-
MD5
f06c6102d8eed12fa80b65b770e588e2
-
SHA1
718557418828ee4b3ef339e1c60c336c7596b9f5
-
SHA256
f63b594918769824db79881c51639de7de00dedd298f5852fe3f7ff301f2e7c8
-
SHA512
747cadee10bf202b39d84031cdc173af0ab07830249777e81d7a8d24c3e456d79160be40e99817b9c92ac033a57a97259d0a78cbc23f4760d6a6f03d0368dc66
-
SSDEEP
6144:ANtJxpaifYUc9UbvpUXjCzyz+wgzOuxOFe5HPSwusGcuI:EpaQ0UzpLyqwOOuOe5Hfudc
Score
10/10
Malware Config
Extracted
Family
njrat
Version
<- NjRAT 0.7d Horror Edition ->
Botnet
F9t family
C2
package-foods.gl.at.ply.gg:41749
Mutex
e3a50f6652cdfc171e08492715312126
Attributes
-
reg_key
e3a50f6652cdfc171e08492715312126
-
splitter
Y262SUCZ4UJJ
Signatures
-
Njrat family
-
Executes dropped EXE 1 IoCs
pid Process 2816 .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language csrss.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe 2816 .exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2728 -.exe Token: SeDebugPrivilege 2816 .exe Token: 33 2816 .exe Token: SeIncBasePriorityPrivilege 2816 .exe Token: 33 2816 .exe Token: SeIncBasePriorityPrivilege 2816 .exe Token: SeShutdownPrivilege 2864 LogonUI.exe Token: SeShutdownPrivilege 2864 LogonUI.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2816 2728 -.exe 31 PID 2728 wrote to memory of 2816 2728 -.exe 31 PID 2728 wrote to memory of 2816 2728 -.exe 31 PID 2728 wrote to memory of 2816 2728 -.exe 31 PID 2816 wrote to memory of 2284 2816 .exe 33 PID 2816 wrote to memory of 2284 2816 .exe 33 PID 2816 wrote to memory of 2284 2816 .exe 33 PID 2816 wrote to memory of 2284 2816 .exe 33 PID 2284 wrote to memory of 2612 2284 cmd.exe 35 PID 2284 wrote to memory of 2612 2284 cmd.exe 35 PID 2284 wrote to memory of 2612 2284 cmd.exe 35 PID 2284 wrote to memory of 2612 2284 cmd.exe 35 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2768 wrote to memory of 2864 2768 winlogon.exe 41 PID 2768 wrote to memory of 2864 2768 winlogon.exe 41 PID 2768 wrote to memory of 2864 2768 winlogon.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41 PID 2908 wrote to memory of 2864 2908 csrss.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\-.exe"C:\Users\Admin\AppData\Local\Temp\-.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\cmd.execmd /c start shutdown /l /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\shutdown.exeshutdown /l /f4⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:320
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2908
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5479e476b8afa5633dd44cb2c0380f18d
SHA1b985cd125613f47b4e0ae07fec6ef29d2622d113
SHA25647abbe32c53b67302656d86e2510968255ea5fec4118e309f9d2dea2168507e7
SHA512459a12db199d5ec4e506770ca9ff3a8eadde95f43d9680386f862f8b65cbf4fcb0cda249e542430de413a6b1fe3e862ad10af967c1fdbfcb9a4b405d92546aac