Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
08/02/2025, 20:15
Behavioral task
behavioral1
Sample
Everythingnew.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Everythingnew.exe
Resource
win10v2004-20250207-en
General
-
Target
Everythingnew.exe
-
Size
43KB
-
MD5
e6c670a90c4eb92933de49b9b28d19bc
-
SHA1
e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0
-
SHA256
f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009
-
SHA512
552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398
-
SSDEEP
384:oZy3Oxrt+3qpyeEDLAL3EkPVIVUusVzQIij+ZsNO3PlpJKkkjh/TzF7pWnM7greT:eTwage0LGfNXuXQ/ot7+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
stealer
environmental-seeds.gl.at.ply.gg:35534
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Njrat family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 47 3108 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation Everythingnew.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe winsystem.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe winsystem.exe -
Executes dropped EXE 1 IoCs
pid Process 2248 winsystem.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsystem.exe\" .." winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsystem.exe\" .." winsystem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everythingnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsystem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4016 MicrosoftEdgeUpdate.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1612 Everythingnew.exe 2248 winsystem.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe Token: 33 2248 winsystem.exe Token: SeIncBasePriorityPrivilege 2248 winsystem.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1612 wrote to memory of 2248 1612 Everythingnew.exe 87 PID 1612 wrote to memory of 2248 1612 Everythingnew.exe 87 PID 1612 wrote to memory of 2248 1612 Everythingnew.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe"C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Roaming\winsystem.exe"C:\Users\Admin\AppData\Roaming\winsystem.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUNFMzA3MEYtMEIyQi00QjEzLTkwOEUtNDhDMEIxQjdGRTZCfSIgdXNlcmlkPSJ7RkIxNjY3MkMtRjg3MS00NTg4LTgzQzgtOEYzODJEMzk0RjdCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTJGOUNFQUQtMzEyMy00MDMwLTg4NTItMjNBOUEyRTJBNkY5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTIzODQwNDM4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4016
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5e6c670a90c4eb92933de49b9b28d19bc
SHA1e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0
SHA256f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009
SHA512552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398