Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/02/2025, 19:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
-.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
-.exe
-
Size
293KB
-
MD5
f06c6102d8eed12fa80b65b770e588e2
-
SHA1
718557418828ee4b3ef339e1c60c336c7596b9f5
-
SHA256
f63b594918769824db79881c51639de7de00dedd298f5852fe3f7ff301f2e7c8
-
SHA512
747cadee10bf202b39d84031cdc173af0ab07830249777e81d7a8d24c3e456d79160be40e99817b9c92ac033a57a97259d0a78cbc23f4760d6a6f03d0368dc66
-
SSDEEP
6144:ANtJxpaifYUc9UbvpUXjCzyz+wgzOuxOFe5HPSwusGcuI:EpaQ0UzpLyqwOOuOe5Hfudc
Malware Config
Signatures
-
Njrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation -.exe -
Executes dropped EXE 1 IoCs
pid Process 2120 .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "226" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe 2120 .exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 384 Process not Found 3612 Process not Found 1620 Process not Found 3808 Process not Found 4456 Process not Found 4872 Process not Found 4420 Process not Found 3248 Process not Found 2796 Process not Found 3272 Process not Found 1044 Process not Found 2412 Process not Found 220 Process not Found 4840 Process not Found 1732 Process not Found 3968 Process not Found 3592 Process not Found 456 Process not Found 3428 Process not Found 1852 Process not Found 1936 Process not Found 4552 Process not Found 3448 Process not Found 4836 Process not Found 4116 Process not Found 3572 Process not Found 2228 Process not Found 3080 Process not Found 1396 Process not Found 3288 Process not Found 4380 Process not Found 4396 Process not Found 408 Process not Found 1100 Process not Found 2084 Process not Found 4960 Process not Found 4672 Process not Found 4008 Process not Found 4276 Process not Found 4400 Process not Found 2064 Process not Found 3852 Process not Found 3760 Process not Found 4952 Process not Found 5100 Process not Found 4012 Process not Found 2036 Process not Found 2136 Process not Found 4548 Process not Found 1056 Process not Found 732 Process not Found 3564 Process not Found 932 Process not Found 2368 Process not Found 1972 Process not Found 1592 Process not Found 4752 Process not Found 1244 Process not Found 2044 Process not Found 2256 Process not Found 4580 Process not Found 4900 Process not Found 1920 Process not Found 1952 Process not Found -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1472 -.exe Token: SeDebugPrivilege 2120 .exe Token: 33 2120 .exe Token: SeIncBasePriorityPrivilege 2120 .exe Token: 33 2120 .exe Token: SeIncBasePriorityPrivilege 2120 .exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1996 LogonUI.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1472 wrote to memory of 2120 1472 -.exe 82 PID 1472 wrote to memory of 2120 1472 -.exe 82 PID 1472 wrote to memory of 2120 1472 -.exe 82 PID 2120 wrote to memory of 4028 2120 .exe 87 PID 2120 wrote to memory of 4028 2120 .exe 87 PID 2120 wrote to memory of 4028 2120 .exe 87 PID 4028 wrote to memory of 3512 4028 cmd.exe 89 PID 4028 wrote to memory of 3512 4028 cmd.exe 89 PID 4028 wrote to memory of 3512 4028 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\-.exe"C:\Users\Admin\AppData\Local\Temp\-.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.execmd /c start shutdown /l /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\shutdown.exeshutdown /l /f4⤵
- System Location Discovery: System Language Discovery
PID:3512
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39fd055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD5479e476b8afa5633dd44cb2c0380f18d
SHA1b985cd125613f47b4e0ae07fec6ef29d2622d113
SHA25647abbe32c53b67302656d86e2510968255ea5fec4118e309f9d2dea2168507e7
SHA512459a12db199d5ec4e506770ca9ff3a8eadde95f43d9680386f862f8b65cbf4fcb0cda249e542430de413a6b1fe3e862ad10af967c1fdbfcb9a4b405d92546aac