Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

NEAS.83fa0...e3.exe

windows7-x64

10

NEAS.83fa0...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    11/11/2023, 10:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe

  • Size

    1.8MB

  • MD5

    51e2b3a5796a75f5c4644a27a4671d33

  • SHA1

    c6802add2703df2865ec891358f02a420e7b5a57

  • SHA256

    83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3

  • SHA512

    592c8e646aaf2c78da3f276e8c055478879532810d6076beb8606bc6ad0abbb512d19d63ab4cd0f77547ff54913ef19cdd6ecf251a4c11131be05fc7a70df02a

  • SSDEEP

    49152:ZbCjPKNqQpcAmVfq4UbCjPKNqQpcAmVfq42bCjn:hCjPKNPZmVfjsCjPKNPZmVfjiCjn

Score
10/10
njratjjjevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 25 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\NEAS83~1.TXT
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe.txt
        3⤵
          PID:2776
      • C:\ProgramData\winmgr107.exe
        C:\ProgramData\winmgr107.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
            4⤵
            • Modifies Windows Firewall
            PID:2880
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2040
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2324
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:796
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2916
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:836
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2024
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1752
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2632
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:676
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:700
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:860
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2868
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1940
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1584
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2972
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1192
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2104
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:828
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1816
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1032
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:620
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1148
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1416
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1676
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2020
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {63BB878A-122C-445E-A2BE-35C22405E388} S-1-5-21-1154728922-3261336865-3456416385-1000:TLIDUQCQ\Admin:Interactive:[1]
      1⤵
        PID:1776
        • C:\ProgramData\winmgr107.exe
          C:\ProgramData\winmgr107.exe
          2⤵
          • Executes dropped EXE
          • NTFS ADS
          • Suspicious behavior: EnumeratesProcesses
          PID:2136

      Network

      • flag-us
        DNS
        youri.mooo.com
        RegAsm.exe
        Remote address:
        8.8.8.8:53
        Request
        youri.mooo.com
        IN A
        Response
      No results found
      • 8.8.8.8:53
        youri.mooo.com
        dns
        RegAsm.exe
        60 B
         119 B
         1
        1

        DNS Request

        youri.mooo.com

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PROGRA~3\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe.txt
        Filesize

        992B

        MD5

        c8cf7247d4cfc99a7582a42d13df4c08

        SHA1

        317f5588af0b3b6374c436fb00084c522fd78a83

        SHA256

        78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

        SHA512

        5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

        Download Submit

      • C:\ProgramData\winmgr107.exe
        Filesize

        1.8MB

        MD5

        e73636a6d37924897030b841a009b3f3

        SHA1

        21f74e1bd841c4f5f7dc364c100d011caa5bb20a

        SHA256

        6a38605e38801961e5fb993ea66c6d39e4954ea5874ff7c31fd8f6559080724e

        SHA512

        97b8f5506a9a9b2c343e774c734cfa0c5817f0abfdb4ecadb6e2b8adc97de712dfce4313b3fb8516fccd287440e887fcc19d3ea48acf64e0341e0ca5a51bb6a6

        Download Submit

      • C:\ProgramData\winmgr107.exe
        Filesize

        1.8MB

        MD5

        e73636a6d37924897030b841a009b3f3

        SHA1

        21f74e1bd841c4f5f7dc364c100d011caa5bb20a

        SHA256

        6a38605e38801961e5fb993ea66c6d39e4954ea5874ff7c31fd8f6559080724e

        SHA512

        97b8f5506a9a9b2c343e774c734cfa0c5817f0abfdb4ecadb6e2b8adc97de712dfce4313b3fb8516fccd287440e887fcc19d3ea48acf64e0341e0ca5a51bb6a6

        Download Submit

      • C:\ProgramData\winmgr107.exe
        Filesize

        1.8MB

        MD5

        e73636a6d37924897030b841a009b3f3

        SHA1

        21f74e1bd841c4f5f7dc364c100d011caa5bb20a

        SHA256

        6a38605e38801961e5fb993ea66c6d39e4954ea5874ff7c31fd8f6559080724e

        SHA512

        97b8f5506a9a9b2c343e774c734cfa0c5817f0abfdb4ecadb6e2b8adc97de712dfce4313b3fb8516fccd287440e887fcc19d3ea48acf64e0341e0ca5a51bb6a6

        Download Submit

      • C:\ProgramData\winmgr107.exe
        Filesize

        1.8MB

        MD5

        e73636a6d37924897030b841a009b3f3

        SHA1

        21f74e1bd841c4f5f7dc364c100d011caa5bb20a

        SHA256

        6a38605e38801961e5fb993ea66c6d39e4954ea5874ff7c31fd8f6559080724e

        SHA512

        97b8f5506a9a9b2c343e774c734cfa0c5817f0abfdb4ecadb6e2b8adc97de712dfce4313b3fb8516fccd287440e887fcc19d3ea48acf64e0341e0ca5a51bb6a6

        Download Submit

      • C:\ProgramData\winmgr107.exe
        Filesize

        1.8MB

        MD5

        e73636a6d37924897030b841a009b3f3

        SHA1

        21f74e1bd841c4f5f7dc364c100d011caa5bb20a

        SHA256

        6a38605e38801961e5fb993ea66c6d39e4954ea5874ff7c31fd8f6559080724e

        SHA512

        97b8f5506a9a9b2c343e774c734cfa0c5817f0abfdb4ecadb6e2b8adc97de712dfce4313b3fb8516fccd287440e887fcc19d3ea48acf64e0341e0ca5a51bb6a6

        Download Submit

      • \ProgramData\winmgr107.exe
        Filesize

        1.8MB

        MD5

        e73636a6d37924897030b841a009b3f3

        SHA1

        21f74e1bd841c4f5f7dc364c100d011caa5bb20a

        SHA256

        6a38605e38801961e5fb993ea66c6d39e4954ea5874ff7c31fd8f6559080724e

        SHA512

        97b8f5506a9a9b2c343e774c734cfa0c5817f0abfdb4ecadb6e2b8adc97de712dfce4313b3fb8516fccd287440e887fcc19d3ea48acf64e0341e0ca5a51bb6a6

        Download Submit

      • memory/2552-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2552-28-0x00000000000D0000-0x00000000000DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2552-30-0x00000000000D0000-0x00000000000DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2552-31-0x0000000073EF0000-0x000000007449B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2552-32-0x0000000073EF0000-0x000000007449B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2552-26-0x00000000000D0000-0x00000000000DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2552-23-0x00000000000D0000-0x00000000000DC000-memory.dmp

        Filesize

        48KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.