Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/02/2025, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe
Resource
win10v2004-20250207-en
General
-
Target
8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe
-
Size
121KB
-
MD5
48437ce3c8bab1b00a75bc774e6ca405
-
SHA1
e774b8a1fe4be437d43ef7739030172e09ff3aef
-
SHA256
8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839
-
SHA512
457be992cce0674710d38b4e3103057e88988cfaed90d5e36d82ac42a03258cc618048545f6fe96bd8e594766485138c7d04220c32b7375e48ae86cf85ea35fd
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVg8:P5eznsjsguGDFqGZ2rDL/
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2804 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2208 chargeable.exe 2864 chargeable.exe -
Loads dropped DLL 2 IoCs
pid Process 2056 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe 2056 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe" 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2208 set thread context of 2864 2208 chargeable.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe Token: 33 2864 chargeable.exe Token: SeIncBasePriorityPrivilege 2864 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2208 2056 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe 29 PID 2056 wrote to memory of 2208 2056 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe 29 PID 2056 wrote to memory of 2208 2056 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe 29 PID 2056 wrote to memory of 2208 2056 8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe 29 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2208 wrote to memory of 2864 2208 chargeable.exe 30 PID 2864 wrote to memory of 2804 2864 chargeable.exe 31 PID 2864 wrote to memory of 2804 2864 chargeable.exe 31 PID 2864 wrote to memory of 2804 2864 chargeable.exe 31 PID 2864 wrote to memory of 2804 2864 chargeable.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe"C:\Users\Admin\AppData\Local\Temp\8f5af7de9311f740012603025b2065573ad23816ce5e728465a0d0f9553c4839.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa84e4bcc92aa5db735ab50711040cde
SHA1084f1cb4c47fdd3be1c833f58359ec8e16f61eb4
SHA2566d7205e794fde4219a62d9692ecddf612663a5cf20399e79be87b851fca4ca33
SHA512261a327ed1dffd4166e215d17bfd867df5b77017ba72c879fb2675cfb8eef48b374f6de41da0e51ba7adb9c0165bb2c831840603e873f6429963afd0cb93007f
-
Filesize
1KB
MD51ea27366e034eb9447a33ce639c01489
SHA1d12ed3e7e60c65ce90f0a58b9b9e47292caed923
SHA256788d210ef206a4d11b6b506bf52124ee03fca4e8a9389fad43772202a7e29452
SHA512e06f7443f0f7ca5db4411aa0718102c08068e95ec305b6b53c0b42a941a877de39f95c7e7514e69316b41a7ac19eaa6ccddc581fe475bdb842ec920691726e49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD50676b91d14c30c339d327857144c24d2
SHA183efe361f62d2b5e6f52a151ed47fe8de1401d3d
SHA2568144d40d3967caeb1d5efb199dd43f35df0c743fa7449441f0830ed3d3ef1040
SHA512bf1a189b1eb1e0ee63b6124f12eb99ec1901318dde64d6b949eac872cccf71b91f11a2ea2153ce8b7e30fe691667bf6c0f166632f3fd6eda28a5b6ac2ee504e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5409d0fb5ee995083069831413ba89c01
SHA1b374adb0681455fbfa09deb684ad377746042b42
SHA256941082570a204f6030bca1292f04b27330793c854a0fe836dcd8eb8fe4011389
SHA512836822630a23475fde49f4687fe457462e7938aed8e9a0d3b4b1a6833cec7ec4dfeaa5ee6e8a0fca0e3263763b5f980f95efc1cf374af27d668236fcc8ed97ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e61a9f3256719d6f6761c401ab7de530
SHA13cc3b62401b92dda90992904c96b2ad71c066c30
SHA2565fda9fe9ee1490902aa16d5deef3a30b0c021f6712b7915c4eb77558e6a2b306
SHA5124041ece765c2ed6b49f323c6de55c893c4b8af9af2f716e52a89fba2c62df56abe39c545e4123930fc3acb7079326b842f064100635a1375b277183284b31ce1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fd178ac381ca4aee5c09bceba385360d
SHA10c85d4d22c81ccee8763fa008557dc1b6bbb763e
SHA256e7f8875e74f5859903f2d825f7f391d1e310605339446340aa1f984d8c6e495f
SHA512d5543d43485f2164667ca668c6489c72994ed5d30221f25bce86f0098c8b83caceb925f4011d5f2151d05eb3214e32eedfdce545377a6fd8845e5ef21766375b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize252B
MD596411fdb7c9f56fef6681c5819fbbbc5
SHA1d9df1218d24fb1161697e0c00b058f22c87e3d88
SHA256f8ab013a9f6ec44cea1b59a48c6b236228f9d05cb4e4016f7c02c7052b213478
SHA512bacaeeab5300dbed46b78ecb63aa658f71525c67572707556d86848c07ee3ce105ea2c9e3fd36f72ea5da0cedebfef30823fd7f1e1a702f33de356426dceae69
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
121KB
MD518915bdb93e2629c62b958399ce449f4
SHA124aa0844d88a70a7fd28fe020f29ac572863ae13
SHA256cf7e94866f0d5591557f685948fce8437729aba6136651a8b9e62235c63ac816
SHA512ee16cc470cb6a1c746b936fc948e4563d291c6c2e1bf51b07621b7a8233f908c26974cf364bd8a6093919b96f8b7b5f83aa8d69f9d28f090eb2fcbbaf586c569