Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 09:27

General

  • Target

    8f438a9b94cb219d14a9d9d6172d81b9600b876acb4a4e364ae7ed84522af372.exe

  • Size

    38KB

  • MD5

    80669037be14749384c364424db64fd0

  • SHA1

    df7d67cff05d6b905660c70907187f87cad411d5

  • SHA256

    8f438a9b94cb219d14a9d9d6172d81b9600b876acb4a4e364ae7ed84522af372

  • SHA512

    681cefdac862bd33ba016ae317c92841758c85a13d6a987191e69ab24a700ca501222f87e36a4b277fd736df88b068675f1a98b1c51a28ff5261144149bc8394

  • SSDEEP

    768:uFDKZIRxEAo/Lifrz/YaqeUNNqifW5ROj10Au4pc24yjhxl:uxqmfv/Y/tqifW/Oj10Wc2RVr

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f438a9b94cb219d14a9d9d6172d81b9600b876acb4a4e364ae7ed84522af372.exe
    "C:\Users\Admin\AppData\Local\Temp\8f438a9b94cb219d14a9d9d6172d81b9600b876acb4a4e364ae7ed84522af372.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Users\Admin\AppData\Local\Temp\crss.exe
      "C:\Users\Admin\AppData\Local\Temp\crss.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SYSTEM32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\crss.exe" "crss.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:4720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\crss.exe

    Filesize

    38KB

    MD5

    80669037be14749384c364424db64fd0

    SHA1

    df7d67cff05d6b905660c70907187f87cad411d5

    SHA256

    8f438a9b94cb219d14a9d9d6172d81b9600b876acb4a4e364ae7ed84522af372

    SHA512

    681cefdac862bd33ba016ae317c92841758c85a13d6a987191e69ab24a700ca501222f87e36a4b277fd736df88b068675f1a98b1c51a28ff5261144149bc8394

  • C:\Users\Admin\AppData\Local\Temp\crss.exe

    Filesize

    38KB

    MD5

    80669037be14749384c364424db64fd0

    SHA1

    df7d67cff05d6b905660c70907187f87cad411d5

    SHA256

    8f438a9b94cb219d14a9d9d6172d81b9600b876acb4a4e364ae7ed84522af372

    SHA512

    681cefdac862bd33ba016ae317c92841758c85a13d6a987191e69ab24a700ca501222f87e36a4b277fd736df88b068675f1a98b1c51a28ff5261144149bc8394

  • memory/2376-136-0x00007FFC46360000-0x00007FFC46D96000-memory.dmp

    Filesize

    10.2MB

  • memory/4368-132-0x00007FFC46360000-0x00007FFC46D96000-memory.dmp

    Filesize

    10.2MB