Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
27s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/02/2025, 04:03
Behavioral task
behavioral1
Sample
cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe
Resource
win10v2004-20250207-en
General
-
Target
cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe
-
Size
23KB
-
MD5
4ab6caa1143a0bf110bfde47d5285ac0
-
SHA1
afb9ceb67fcaee2beb9cd08d45018cabb7ece4bf
-
SHA256
cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19
-
SHA512
6e0bab4035120373702eb6faa77a8c4b11a3c654a3c6890a61aa6d4285cc0bb7933d2bb38772bbf4f3c590c017205d6e005a846f77cc9fab9b53dda4aeb3c4e9
-
SSDEEP
384:07luBPiZCMfdfSJrQbsLRGSIxYVL46pg/i8BD9BmRvR6JZlbw8hqIusZzZu4:0EOmhtIiRpcnug
Malware Config
Extracted
njrat
0.7d
Prime
updatservice3457.ddns.net:5552
604be2a3a005846db577612359e0d347
-
reg_key
604be2a3a005846db577612359e0d347
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2672 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\604be2a3a005846db577612359e0d347.exe temp22.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\604be2a3a005846db577612359e0d347.exe temp22.exe -
Executes dropped EXE 1 IoCs
pid Process 2628 temp22.exe -
Loads dropped DLL 1 IoCs
pid Process 2768 cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\604be2a3a005846db577612359e0d347 = "\"C:\\Users\\Admin\\AppData\\Roaming\\temp22.exe\" .." temp22.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\604be2a3a005846db577612359e0d347 = "\"C:\\Users\\Admin\\AppData\\Roaming\\temp22.exe\" .." temp22.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language temp22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe Token: 33 2628 temp22.exe Token: SeIncBasePriorityPrivilege 2628 temp22.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2628 2768 cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe 30 PID 2768 wrote to memory of 2628 2768 cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe 30 PID 2768 wrote to memory of 2628 2768 cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe 30 PID 2768 wrote to memory of 2628 2768 cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe 30 PID 2628 wrote to memory of 2672 2628 temp22.exe 31 PID 2628 wrote to memory of 2672 2628 temp22.exe 31 PID 2628 wrote to memory of 2672 2628 temp22.exe 31 PID 2628 wrote to memory of 2672 2628 temp22.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe"C:\Users\Admin\AppData\Local\Temp\cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Roaming\temp22.exe"C:\Users\Admin\AppData\Roaming\temp22.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\temp22.exe" "temp22.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2672
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD54ab6caa1143a0bf110bfde47d5285ac0
SHA1afb9ceb67fcaee2beb9cd08d45018cabb7ece4bf
SHA256cfb9c71fc5a1fc750db82440c45ca5e1f7ef557d5ad0f1cb50dd14a2c2621b19
SHA5126e0bab4035120373702eb6faa77a8c4b11a3c654a3c6890a61aa6d4285cc0bb7933d2bb38772bbf4f3c590c017205d6e005a846f77cc9fab9b53dda4aeb3c4e9