Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08/02/2025, 20:07
Behavioral task
behavioral1
Sample
Everythingnew.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Everythingnew.exe
Resource
win10v2004-20250207-en
General
-
Target
Everythingnew.exe
-
Size
43KB
-
MD5
e6c670a90c4eb92933de49b9b28d19bc
-
SHA1
e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0
-
SHA256
f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009
-
SHA512
552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398
-
SSDEEP
384:oZy3Oxrt+3qpyeEDLAL3EkPVIVUusVzQIij+ZsNO3PlpJKkkjh/TzF7pWnM7greT:eTwage0LGfNXuXQ/ot7+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
stealer
environmental-seeds.gl.at.ply.gg:35534
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Njrat family
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe winsystem.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe winsystem.exe -
Executes dropped EXE 1 IoCs
pid Process 2760 winsystem.exe -
Loads dropped DLL 1 IoCs
pid Process 3040 Everythingnew.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsystem.exe\" .." winsystem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsystem.exe\" .." winsystem.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Everythingnew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winsystem.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3040 Everythingnew.exe 2760 winsystem.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe Token: 33 2760 winsystem.exe Token: SeIncBasePriorityPrivilege 2760 winsystem.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3040 wrote to memory of 2760 3040 Everythingnew.exe 30 PID 3040 wrote to memory of 2760 3040 Everythingnew.exe 30 PID 3040 wrote to memory of 2760 3040 Everythingnew.exe 30 PID 3040 wrote to memory of 2760 3040 Everythingnew.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe"C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Roaming\winsystem.exe"C:\Users\Admin\AppData\Roaming\winsystem.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5e6c670a90c4eb92933de49b9b28d19bc
SHA1e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0
SHA256f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009
SHA512552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398