Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
06/11/2023, 19:37
231106-ybwfxadf81 1006/11/2023, 19:33
231106-x9tjjadf4z 1006/11/2023, 16:18
231106-tr58tscc9y 10Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
06/11/2023, 19:33
General
-
Target
1106-11-Njrat.exe
-
Size
2.7MB
-
MD5
f6e3aee1f90ebd9fd2035d95cfb1572a
-
SHA1
9e3f5dd7421c68ed101a21678056a0d03a145d1a
-
SHA256
0b4d4ccbb9bef35964350e889dd87d2f5b0cd4e0fdc281af1f11adfbce994209
-
SHA512
437a0a1a485cc07567e149a5de503b2d2312925695824c002d25ad51a7015cfd78c03c962bbcd808793387d7cb3b4008602c70909a067ca29ac18827c5360035
-
SSDEEP
49152:rBZ6v3/0HTj169yWEY969K22VwFHITeeAwxkA:rWv3/0HTj169yWEY969r2VeH
Malware Config
Extracted
njrat
v2.0
Hi can you give money
172.94.4.171:7772
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Detect ZGRat V1 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1106-11-Njrat.exe"C:\Users\Admin\AppData\Local\Temp\1106-11-Njrat.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe"C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe"3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Adobe Reader PDF.exe"3⤵
- Views/modifies file attributes
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
Filesize
6.9MB
-
Filesize
2.7MB
-
Filesize
232KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
48KB