Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

8fa0588a7d...5e.exe

windows7-x64

10

8fa0588a7d...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    08/10/2023, 07:31 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe

  • Size

    344KB

  • MD5

    8d25c14a5b1f9cdf8f87b86481dbc471

  • SHA1

    af7d5f5f0f4b891b4e95dd444993138b581a69d4

  • SHA256

    8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e

  • SHA512

    6fb3dbde57e30fa8d04f3a4081312bee32fe576b73dea496c7782a02dc82e3173d49a9dd13489d7acb879744ff3c96acc81efaabbff089354fcbbe00f3167338

  • SSDEEP

    3072:FEaNdCsfYDogE/eaBNDjh8b5hisx0x0a37K0OMwRbHpG9ua7zwo58T:FEAdCs3XLBtjhij0xfm0VKG9oy

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

z-shadowxxx.ddns.net:5552

Mutex

1899f7b6bb5e1cf84a5b2c830a70fbec

Attributes
  • reg_key

    1899f7b6bb5e1cf84a5b2c830a70fbec

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe
    "C:\Users\Admin\AppData\Local\Temp\8fa0588a7d0bdc6ed5cd187ab077cdfed96f0cb1341b37e5000a5a40bbc7345e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe
      "C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\NotePad.exe
        NotePad
        3⤵
          PID:2556
        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2576
          • C:\Windows\SysWOW64\NotePad.exe
            NotePad
            4⤵
              PID:2988
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
              4⤵
              • Modifies Windows Firewall
              PID:2508
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\LocalbzJHeWkul_..txt
          2⤵
            PID:2740

        Network

        • flag-us
          DNS
          z-shadowxxx.ddns.net
          svchost.exe
          Remote address:
          8.8.8.8:53
          Request
          z-shadowxxx.ddns.net
          IN A
          Response
        No results found
        • 8.8.8.8:53
          z-shadowxxx.ddns.net
          dns
          svchost.exe
          66 B
           126 B
           1
          1

          DNS Request

          z-shadowxxx.ddns.net

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe
          Filesize

          290KB

          MD5

          224884a09b08f5db2a9533ea3062190d

          SHA1

          f85c5e03775cac1bad3a071cfd85b51537767c97

          SHA256

          ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

          SHA512

          8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

          Download Submit

        • C:\Users\Admin\AppData\LocalFSAgnpsDhx.exe
          Filesize

          290KB

          MD5

          224884a09b08f5db2a9533ea3062190d

          SHA1

          f85c5e03775cac1bad3a071cfd85b51537767c97

          SHA256

          ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

          SHA512

          8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          290KB

          MD5

          224884a09b08f5db2a9533ea3062190d

          SHA1

          f85c5e03775cac1bad3a071cfd85b51537767c97

          SHA256

          ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

          SHA512

          8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          290KB

          MD5

          224884a09b08f5db2a9533ea3062190d

          SHA1

          f85c5e03775cac1bad3a071cfd85b51537767c97

          SHA256

          ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

          SHA512

          8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          290KB

          MD5

          224884a09b08f5db2a9533ea3062190d

          SHA1

          f85c5e03775cac1bad3a071cfd85b51537767c97

          SHA256

          ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

          SHA512

          8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

          Download Submit

        • C:\Users\Admin\AppData\LocalbzJHeWkul_..txt
          Filesize

          288B

          MD5

          be609d4678b46bf8d98b4f88b36337a7

          SHA1

          b621bbcefd42ba2de567424cc4476d26805ff56b

          SHA256

          24f50b03afe8d4b4ef134b2a001cf4bb5c52e24a01c80610fd52ed8960b00115

          SHA512

          5ffd5cfdea34854c93417d5d3cea740a123c97f55b76d9af83b23e1766fc7bfa3392f9f8312924c20bce58f8100b31252549c649a2b2075bdccf9f6c1fa1f1cc

          Download Submit

        • \Users\Admin\AppData\Local\Temp\svchost.exe
          Filesize

          290KB

          MD5

          224884a09b08f5db2a9533ea3062190d

          SHA1

          f85c5e03775cac1bad3a071cfd85b51537767c97

          SHA256

          ba2a02c4177f23a081ce81727ce5711508947395603c066251b1ceefb2c450a9

          SHA512

          8be5182679f23cad5e0ea19b7f483eee75a3dd1ff764f3dad76cd18c5bfcda287f9c8aadc913ec448fbf6cef5bf6e76214abae36c57d0fe76c19824a745bda2a

          Download Submit

        • memory/2576-29-0x0000000000BD0000-0x0000000000C10000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2576-28-0x0000000074090000-0x000000007477E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2576-26-0x0000000000BD0000-0x0000000000C10000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2576-25-0x0000000074090000-0x000000007477E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2576-24-0x0000000000E90000-0x0000000000EDE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2632-10-0x0000000074090000-0x000000007477E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2632-16-0x0000000000220000-0x000000000022A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2632-15-0x0000000004970000-0x00000000049B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2632-14-0x0000000074090000-0x000000007477E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2632-13-0x0000000004970000-0x00000000049B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2632-12-0x0000000000200000-0x0000000000206000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2632-11-0x00000000004B0000-0x0000000000508000-memory.dmp

          Filesize

          352KB

          Download

        • memory/2632-27-0x0000000074090000-0x000000007477E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2632-9-0x0000000000C60000-0x0000000000CAE000-memory.dmp

          Filesize

          312KB

          Download

        • memory/3016-8-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

          Filesize

          9.6MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.