Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    210s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    29/06/2023, 21:30

General

  • Target

    drweb.exe

  • Size

    151KB

  • MD5

    db5fa6ff80870f8041e0b31b00c43575

  • SHA1

    aa22dd900a62ce990080bd848567ba8239c397dc

  • SHA256

    59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

  • SHA512

    92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

  • SSDEEP

    3072:0Oj3YL2p+yJgNAjVd1nut+uV2mTVDjFwkWl176jZ1hCagdgvPW:L3YLfOVdRQ/vqkg1gEagdgH

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

08022291fe871213f172041da3b6ef33

Attributes
  • reg_key

    08022291fe871213f172041da3b6ef33

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\drweb.exe
    "C:\Users\Admin\AppData\Local\Temp\drweb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe
      "C:\Users\Admin\AppData\Local\Temp\bootlog.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\bootlog.exe" "bootlog.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2036
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:824
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x554
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe

      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

    • C:\Users\Admin\AppData\Local\Temp\bootlog.exe

      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

    • \Users\Admin\AppData\Local\Temp\bootlog.exe

      Filesize

      151KB

      MD5

      db5fa6ff80870f8041e0b31b00c43575

      SHA1

      aa22dd900a62ce990080bd848567ba8239c397dc

      SHA256

      59b5e11f75751ce321671ed65883c1d67cf4736bb07f43000215afd3a2def406

      SHA512

      92bc1cfe2319055e93e8aa3ba647ffcdc4a1baea166871a9b8b09a0400273b719eed169f031a47166f9383d0022459f6d99229eddd7779f02768d70cfa10a0f7

    • memory/2028-54-0x0000000000470000-0x00000000004B0000-memory.dmp

      Filesize

      256KB

    • memory/2032-62-0x00000000001B0000-0x00000000001F0000-memory.dmp

      Filesize

      256KB