Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
188s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
06/11/2022, 12:56
General
-
Target
3e90f4aa1725740f32d8c6a7c7ed77db.exe
-
Size
37KB
-
MD5
3e90f4aa1725740f32d8c6a7c7ed77db
-
SHA1
a42f5985580e647dbd491d2b7e1f54bdd967883f
-
SHA256
1ade6c3079bf4457f862540f2f378e1758111482c207da32d3fecae5f1f9e275
-
SHA512
64b1f0322bb07e854ff5d50527462519bc2bde05b582b62e809c5e0d80f3e3a1dba9808902ca4abaf7299614de5fd06028026594dc20e0d28d554f26b6d715ec
-
SSDEEP
384:WcmBkiy1nDNGRn5IyUv8IR/hh0/aKVEcrAF+rMRTyN/0L+EcoinblneHQM3epzXi:Jd5M5jUvxRoCKWcrM+rMRa8Nuzd+t
Malware Config
Extracted
njrat
im523
HacKed
37.144.68.25:8080
1bca132747fbbbf8717bb4a20e6daa6d
-
reg_key
1bca132747fbbbf8717bb4a20e6daa6d
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e90f4aa1725740f32d8c6a7c7ed77db.exe"C:\Users\Admin\AppData\Local\Temp\3e90f4aa1725740f32d8c6a7c7ed77db.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\dllhost.exe" "dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD53e90f4aa1725740f32d8c6a7c7ed77db
SHA1a42f5985580e647dbd491d2b7e1f54bdd967883f
SHA2561ade6c3079bf4457f862540f2f378e1758111482c207da32d3fecae5f1f9e275
SHA51264b1f0322bb07e854ff5d50527462519bc2bde05b582b62e809c5e0d80f3e3a1dba9808902ca4abaf7299614de5fd06028026594dc20e0d28d554f26b6d715ec
-
Filesize
37KB
MD53e90f4aa1725740f32d8c6a7c7ed77db
SHA1a42f5985580e647dbd491d2b7e1f54bdd967883f
SHA2561ade6c3079bf4457f862540f2f378e1758111482c207da32d3fecae5f1f9e275
SHA51264b1f0322bb07e854ff5d50527462519bc2bde05b582b62e809c5e0d80f3e3a1dba9808902ca4abaf7299614de5fd06028026594dc20e0d28d554f26b6d715ec
-
Filesize
37KB
MD53e90f4aa1725740f32d8c6a7c7ed77db
SHA1a42f5985580e647dbd491d2b7e1f54bdd967883f
SHA2561ade6c3079bf4457f862540f2f378e1758111482c207da32d3fecae5f1f9e275
SHA51264b1f0322bb07e854ff5d50527462519bc2bde05b582b62e809c5e0d80f3e3a1dba9808902ca4abaf7299614de5fd06028026594dc20e0d28d554f26b6d715ec
-
Filesize
8KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB