Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

a6b7e1f8d9...13.exe

windows7-x64

10

a6b7e1f8d9...13.exe

windows10-2004-x64

10

a6d91e550d...6e.exe

windows7-x64

7

a6d91e550d...6e.exe

windows10-2004-x64

7

a72cdbd8e2...ad.exe

windows7-x64

10

a72cdbd8e2...ad.exe

windows10-2004-x64

10

a731427f52...04.exe

windows7-x64

6

a731427f52...04.exe

windows10-2004-x64

6

a73951d873...67.exe

windows7-x64

10

a73951d873...67.exe

windows10-2004-x64

10

a74be4d5e7...73.exe

windows7-x64

10

a74be4d5e7...73.exe

windows10-2004-x64

10

a77ff4e4dd...87.exe

windows7-x64

10

a77ff4e4dd...87.exe

windows10-2004-x64

10

a799e456ff...88.exe

windows7-x64

10

a799e456ff...88.exe

windows10-2004-x64

10

a7c49036eb...95.exe

windows7-x64

3

a7c49036eb...95.exe

windows10-2004-x64

3

a7d8553ba6...a8.exe

windows7-x64

7

a7d8553ba6...a8.exe

windows10-2004-x64

7

a7e953c880...28.exe

windows7-x64

10

a7e953c880...28.exe

windows10-2004-x64

10

a7ead69ceb...a3.exe

windows7-x64

9

a7ead69ceb...a3.exe

windows10-2004-x64

9

a7ec6d64b2...db.exe

windows7-x64

1

a7ec6d64b2...db.exe

windows10-2004-x64

1

a7fd5ae1f0...f8.exe

windows7-x64

10

a7fd5ae1f0...f8.exe

windows10-2004-x64

10

a884e586e0...e0.exe

windows7-x64

10

a884e586e0...e0.exe

windows10-2004-x64

10

a8b0399c70...33.exe

windows7-x64

10

a8b0399c70...33.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_41.zip

  • Size

    74.8MB

  • Sample

    250322-gz1bbsy1cs

  • MD5

    5d83931d7f45d7d8abd6b68b28c1fa3e

  • SHA1

    30ea1960ff10bfbd7e9729b14e0fd6de8c050dde

  • SHA256

    13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

  • SHA512

    a43f7aaabcfb23f802445da8359925d9267b8e73fffde04dd99f43eb22bb9ca44f8a1fe4a42e0966eaf8f86a7c01199558b12450123c72122640dcf5a8fc14c5

  • SSDEEP

    1572864:HjoUNuQ/6CAGsakloEaJeQgQeWuUst2Ky6l1gaUd6gG:HjhgQCCATRloEa8QgQeWuUst2Ky6lGax

Score
10/10
dcratnjratquasarxredxwormhackedkrnlvictimbackdoorcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealermacropersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

10.10.1.11:5552

Mutex

7657c14284185fbd3fb108b43c7467ba

Attributes
  • reg_key

    7657c14284185fbd3fb108b43c7467ba

  • splitter

    |'|'|

Extracted

Family

xworm

C2

192.168.100.13:7000

127.0.0.1:7000
Attributes
  • Install_directory

    %AppData%

  • install_file

    RuntimeBroker.exe

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

46.197.220.52:1604

Mutex

7bcbf5e23295248042b5dac9a154ecb7

Attributes
  • reg_key

    7bcbf5e23295248042b5dac9a154ecb7

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:32266

father-deck.gl.at.ply.gg:32266
Mutex

bxZRB9RoaSqSgoZz

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

krnl

C2

127.0.0.1:1234

Mutex

62cfd7a2-713f-44be-bf60-f71392c34930

Attributes
  • encryption_key

    34F17DCAB06146593170B498E9E1F2F58CD66C91

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Targets

    • Target

      a6b7e1f8d965ec053cbb870a443d5513.exe

    • Size

      23KB

    • MD5

      a6b7e1f8d965ec053cbb870a443d5513

    • SHA1

      d36498e62e780ab792a504d1e410c4ad68e6d323

    • SHA256

      3afbd2930ef13cada1f74438a9d8a178c2a139062afc5baa3748fe649593ab89

    • SHA512

      131102fcd77c278b4099345348ea9703c8a8f4254fb9671e4ca59abaf0588a0c77fd1230cc747f7d958136523dbd7d2ed89c7f8fed94bf9e4d64b9de9a5784af

    • SSDEEP

      384:AoWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZIM:P7O89p2rRpcnuq

    Score
    10/10
    njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      a6d91e550d33f9f64c5e292e47013b055f721bbc1865d3bfa5d89fe7f840586e.exe

    • Size

      7.9MB

    • MD5

      581f750f1076c31896606b8bd1a3265e

    • SHA1

      23e2a2b8b3ac67c75477621008f6d736cbc3ca7b

    • SHA256

      a6d91e550d33f9f64c5e292e47013b055f721bbc1865d3bfa5d89fe7f840586e

    • SHA512

      b0297edc8c5c0f81c277fa6d39bcf3677c6ea4b16651657704fb11e90da803deb3986527ee2601e9b0c1665cdbf209c9bdf0586451a7a3da3acc134aa1f9a655

    • SSDEEP

      196608:M9sGLbd7rEWWn87E3QeotSqrG8YqcIXcZZBB:MmqbhrEbn87eZsFmq+d

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3behavioral4

    • Target

      a72cdbd8e2e58d49bac3da8f517b97ee8262cc6d54e21eadfacbf1df504a26ad.exe

    • Size

      211KB

    • MD5

      1f0395936dc0d6537bccdb76d7f69e2f

    • SHA1

      fe932a4a7d78d9c184e31205c3576d288be69272

    • SHA256

      a72cdbd8e2e58d49bac3da8f517b97ee8262cc6d54e21eadfacbf1df504a26ad

    • SHA512

      4e4a87a1a753b80ab5471768f198446e77cf16a89485e0e9da50d907bf1468a2f5a2b7082cf6024f8b9e3381f15ba796019a56f379293ba90b6415591349119a

    • SSDEEP

      3072:9O9PzMMAdkVkgNe+bGtq4QXSfOW3ty83hLKKKKKU8AAFTbp8ELQHsoOJNuYnZIWV:9OUIkiHbwqS9yLfJXnIZR

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral5behavioral6

    • Target

      a731427f52bd2af065c7544d7f9ea804.exe

    • Size

      8.4MB

    • MD5

      a731427f52bd2af065c7544d7f9ea804

    • SHA1

      7cd9c953fda6cb5c596e2d411e1892bd46c28b20

    • SHA256

      03fa272e3f65c52dbfc39fde14d51c9af1dadda3e520474e30858163543c21a7

    • SHA512

      aa8557636f7b1ceda7a2fa47f9fe921d6bfb02b3127254c249955090b9734a4d8b61c9a3a6f7940dc0604b8863a911a9b05855bbc4d1052250fb4c2ae08dd6e7

    • SSDEEP

      196608:YX25M7WcFX25M7WcAxwSNZAk/vUkLAHjT0de:YOM7WoOM7WN5NZAGt0Hj

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

    • Target

      a73951d8730beba8a769c882801bd767.exe

    • Size

      1.6MB

    • MD5

      a73951d8730beba8a769c882801bd767

    • SHA1

      d7a91fcad4c3477b2bb17168404b015249dc9925

    • SHA256

      fd491ef92bb1de6bc677badbca3c26699d3cd713e5803c82757768965be9ded3

    • SHA512

      12f5bb32eba7a028f0ef7dc29d6d75efb5460ce34209c677539daa83cadf1c689961a8a076a7d8acc90479fba8fc526ee1e83f0e19af5d784525425a5e15c6e6

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral10behavioral9

    • Target

      a74be4d5e7b154091b38338a6ac94973.exe

    • Size

      811KB

    • MD5

      a74be4d5e7b154091b38338a6ac94973

    • SHA1

      869b7342f2354a84a88e333f51bc5ee86dc5c66e

    • SHA256

      9c089fbaa60a508b50525205890e389f797919b231e90b8a3d02120e9776be08

    • SHA512

      906a1078d28d52bd3cd5c0b77164a7da6bad7a34f316ff980dee887f4b4561760d128c85f226099c86029f628543044e3dfd442066e2ad5c0828eeb548f66b9d

    • SSDEEP

      6144:/tT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKg:p6u7+487IFjvelQypyfy7cnKg

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      a77ff4e4dd651e4c89e2297a2a321987.exe

    • Size

      885KB

    • MD5

      a77ff4e4dd651e4c89e2297a2a321987

    • SHA1

      a9547ffaf19a4e24b18bfd064daa8c0286dcfde9

    • SHA256

      6edd1467581b5e8050205a8da77435b71115ab9b69e76fd46c1dc8abd63664dc

    • SHA512

      2df2d8ef093dc2a53ca2b23544fae535dea9884e296fca639d5168606369742c62d73a834b96696711800023adc0b2204f05e235641ce9edaabbf9985f6732e7

    • SSDEEP

      12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral13behavioral14

    • Target

      a799e456ff773d61953389e7fb322b88.exe

    • Size

      20.2MB

    • MD5

      a799e456ff773d61953389e7fb322b88

    • SHA1

      ee4bb5e3ebfdb9a3a158b6e043ad8ad45405579e

    • SHA256

      3f24ecfe09f50ca00f29c8617bc76f9b01785a2d86eaf16b34d46c60648ed32c

    • SHA512

      5645160a60b98fa38fc2a278fe31290967368ec38df0b0b5ac6ca0fa1073518e7478888b4bbf13082a94d436567c53df04ba02b0265019ff61f7056f82b5f84a

    • SSDEEP

      393216:SGg4aFGg4afGg4ahGg4aEGg4aJGg4akGg4a9Gg4aDGg4aKGg4aPGg4aLGg4aYGgf:AtfpyhSVzoPr2kyp

    Score
    10/10
    xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      a7c49036ebf4784cc999d947c3350d466e1d4776671e2ce6bfa37c00013baf95.exe

    • Size

      100KB

    • MD5

      9ff64858d665ca85bf879c88878023aa

    • SHA1

      1c0d61012d43884c579cf669a957ebdfd98bf7d9

    • SHA256

      a7c49036ebf4784cc999d947c3350d466e1d4776671e2ce6bfa37c00013baf95

    • SHA512

      4be1764a6a7b39199bc5ec126f610e3a6dbe3ebb1be57c0caada4a3b3be2691458e483c40b73ccbf8490c0a6653dac39a86f7c2443cd959ace9a516a92b664d1

    • SSDEEP

      3072:o9G8ME2eweVzbV62dEVNm48uu8673pr3ov:i2mzb42dEVNm48uu8673pr

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      a7d8553ba6cb9193a197904239af5d2e7bc4c7015dce62660400968e54d94ba8.exe

    • Size

      316KB

    • MD5

      227620b7437f3a94ad2f664071c8b4ee

    • SHA1

      80794b08cb2a980a465e16239ac5660e8537a79c

    • SHA256

      a7d8553ba6cb9193a197904239af5d2e7bc4c7015dce62660400968e54d94ba8

    • SHA512

      ae30cd2d92979789bbbd9c8de8f630c56bb3357d3d29ba228acd7dfc8eb929fa9887487997868a2e9dba9bb51e511664fd1175860ac35a60c6c24043e60c59b7

    • SSDEEP

      6144:jzg3sWCykLEWZnp1PeghsvHqTNPfPEBnyhMUwcYmk4SiD6Y:jqp2IWTJhrTNn3xRC

    Score
    7/10
    discoveryexecutionspywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral19behavioral20

    • Target

      a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528.exe

    • Size

      513KB

    • MD5

      bee8b480b0eaca7a667e7167fb8a90d9

    • SHA1

      9f313636052c520f376c1dd78db8965206828a49

    • SHA256

      a7e953c8807b21e5a5db9757e01e27e8018901c36cd81ef12cbda5712ad1c528

    • SHA512

      4307592c42fc62376d5ca68dc877160ce78ab6521ac14ef8a17f0acaae3b2751ffee7100b555f8027142ad1e5992b80d9c5a012ffebd8c02804090c9244e3f76

    • SSDEEP

      12288:47eq029boZJl4K5qFy8Q3txiiCsi6usc6JPE7G/7Btt:4eqAjIF8WsShAPEQ7

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral21behavioral22

    • Target

      a7ead69cebb4805f528bc566a9b4eea3.exe

    • Size

      2.3MB

    • MD5

      a7ead69cebb4805f528bc566a9b4eea3

    • SHA1

      8a2c748c16e5ce838877410c83b1cedb7e62e17f

    • SHA256

      7736c501dd6d579e29c5b75abdb0b3d5041704a7ddeae146805ebc470efd406f

    • SHA512

      49ab87faf90bcfc04605225147e3445b22be2f1f27de8c201152c1cd5185768499d26acf9192b718fec46d04192b9e57e085a6e527e62f3887135228b4520762

    • SSDEEP

      49152:Ehyj2PC/eL39+BnEeIumypL6aau2F7katWqaRER0vNgt:sQep6Epq6/rewkQ

    Score
    9/10
    defense_evasiondiscovery

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Looks for VMWare Tools registry key

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral23behavioral24

    • Target

      a7ec6d64b26a76d441ffbded59fdbfa4d8e54782f5d03cc03e436d444de883db.exe

    • Size

      381KB

    • MD5

      24b29f0a383fafd25288ef3d020eafd6

    • SHA1

      32af6aab8f84ae121e978df37bff8c3380be2336

    • SHA256

      a7ec6d64b26a76d441ffbded59fdbfa4d8e54782f5d03cc03e436d444de883db

    • SHA512

      f5aa7c54a07e77f43020e0d0055e332ac4b62153870da351e14dc59caa924ec43648145044f4a75f4203f44acb585f921690b14f643f21e1266b78b212476f11

    • SSDEEP

      6144:4I4pbvEMUJe6VlWT8b9f9Vm/b1PnjKb6P4jfqA:4IRHJPVle8C5PPo

    Score
    1/10
    behavioral25behavioral26

    • Target

      a7fd5ae1f0d16e9069ca216d2f21ccf8.exe

    • Size

      5.9MB

    • MD5

      a7fd5ae1f0d16e9069ca216d2f21ccf8

    • SHA1

      9c7a2f7d780bb05baa0b592ca1547ba25bbcf4ea

    • SHA256

      0deb67b0ba108bc58c86e696234379a5bdfb1f3de00269944c28113001695e47

    • SHA512

      a317655fd45bd7d86393d02cf3471ba145fa696b73f6a4d1463ed81030a44ea68308f34b8beca3382f678c797e95b8f9be70902d91870e5f98139debb21ac353

    • SSDEEP

      98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4r:xyeU11Rvqmu8TWKnF6N/1wO

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral27behavioral28

    • Target

      a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0.exe

    • Size

      1.9MB

    • MD5

      e3e41d9c5ff14ac3d6b241919529b0bf

    • SHA1

      2dbfc71860ca38a1400e38c14cfce3692d18c70a

    • SHA256

      a884e586e04d1b213ef1db19e0226a0503109862aa3072c6ace8660c6a3f46e0

    • SHA512

      64d8683c41f4fa3247da647d856cd18f8a6332d99344612d86e2321bccfc50ea339d12f40f0bd2ceb19850d4beeda2182fbf03ea40a0cbaa4388e486d6fb4f30

    • SSDEEP

      24576:Uz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:UOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral29behavioral30

    • Target

      a8b0399c704553c85dfd0ab584536333.exe

    • Size

      1.9MB

    • MD5

      a8b0399c704553c85dfd0ab584536333

    • SHA1

      62aea1857adbb4160c94beb5c8a599c0b6064a07

    • SHA256

      2614012e702c04f31efd94532e4d8331b5a8d2ec0a2f7b98cdaf4c02942c469e

    • SHA512

      65cf46ce9d75e7395d77c2025a9ab8552cfebc3b979c0c1596f9b3114b0699a11882c6dc1d312b0d3a2e14cf887525990b2612372a990748f6b31914f03f7904

    • SSDEEP

      24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

    Score
    10/10
    defense_evasionexecutiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

4
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

8
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

hackedratvictimkrnlnjratxwormdcratquasar
Score
10/10

behavioral1

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral2

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral3

Score
7/10

behavioral4

Score
7/10

behavioral5

xwormpersistencerattrojan
Score
10/10

behavioral6

xwormpersistencerattrojan
Score
10/10

behavioral7

discovery
Score
6/10

behavioral8

discovery
Score
6/10

behavioral9

dcratexecutioninfostealerrat
Score
10/10

behavioral10

dcratexecutioninfostealerrat
Score
10/10

behavioral11

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral12

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral13

dcratinfostealerrat
Score
10/10

behavioral14

dcratinfostealerrat
Score
10/10

behavioral15

xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer
Score
10/10

behavioral16

xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer
Score
10/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discoveryexecutionspywarestealer
Score
7/10

behavioral20

discoveryexecutionspywarestealer
Score
7/10

behavioral21

xwormrattrojan
Score
10/10

behavioral22

xwormrattrojan
Score
10/10

behavioral23

defense_evasiondiscovery
Score
9/10

behavioral24

defense_evasiondiscovery
Score
9/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral28

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral29

defense_evasionexecutiontrojan
Score
10/10

behavioral30

defense_evasionexecutiontrojan
Score
10/10

behavioral31

defense_evasionexecutiontrojan
Score
10/10

behavioral32

defense_evasionexecutiontrojan
Score
10/10