Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

NEAS.83fa0...e3.exe

windows7-x64

10

NEAS.83fa0...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2023, 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe

  • Size

    1.8MB

  • MD5

    51e2b3a5796a75f5c4644a27a4671d33

  • SHA1

    c6802add2703df2865ec891358f02a420e7b5a57

  • SHA256

    83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3

  • SHA512

    592c8e646aaf2c78da3f276e8c055478879532810d6076beb8606bc6ad0abbb512d19d63ab4cd0f77547ff54913ef19cdd6ecf251a4c11131be05fc7a70df02a

  • SSDEEP

    49152:ZbCjPKNqQpcAmVfq4UbCjPKNqQpcAmVfq42bCjn:hCjPKNPZmVfjsCjPKNPZmVfjiCjn

Score
10/10
njratjjjevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

C2

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes
  • reg_key

    e936a10f968ac948cd351c9629dbd36d

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe"
    1⤵
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\NEAS83~1.TXT
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe.txt
        3⤵
          PID:4436
      • C:\ProgramData\winmgr107.exe
        C:\ProgramData\winmgr107.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4760
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          0
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3312
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
            4⤵
            • Modifies Windows Firewall
            PID:3436
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:4608
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:4092
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2780
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:3952
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:780
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:3628
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1600
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:4272
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:4104
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:4380
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:3900
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:1028
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:2036
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:4796
        • C:\Windows\SysWOW64\schtasks.exe
          C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
          3⤵
          • Creates scheduled task(s)
          PID:4544
    • C:\ProgramData\winmgr107.exe
      C:\ProgramData\winmgr107.exe
      1⤵
      • Executes dropped EXE
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      PID:4484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PROGRA~3\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe.txt
      Filesize

      992B

      MD5

      c8cf7247d4cfc99a7582a42d13df4c08

      SHA1

      317f5588af0b3b6374c436fb00084c522fd78a83

      SHA256

      78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

      SHA512

      5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

      Download Submit

    • C:\ProgramData\winmgr107.exe
      Filesize

      1.8MB

      MD5

      6a634919ba02d2637cd74103c0759046

      SHA1

      96527a2abfcb82f4215dfa95a8a094448924ce97

      SHA256

      d554ea697a1d2878a38ba595fd0a533ad3caa9237842b0292f408e65deb4f6ec

      SHA512

      ced8a02352df20f162573412c706589e7d3287b551f58fb5deac47d07ccdea5231a5e24c040c225df5cbe4ffd341055a5164332002bb89b12d52f03e1b9fc435

      Download Submit

    • C:\ProgramData\winmgr107.exe
      Filesize

      1.8MB

      MD5

      6a634919ba02d2637cd74103c0759046

      SHA1

      96527a2abfcb82f4215dfa95a8a094448924ce97

      SHA256

      d554ea697a1d2878a38ba595fd0a533ad3caa9237842b0292f408e65deb4f6ec

      SHA512

      ced8a02352df20f162573412c706589e7d3287b551f58fb5deac47d07ccdea5231a5e24c040c225df5cbe4ffd341055a5164332002bb89b12d52f03e1b9fc435

      Download Submit

    • C:\ProgramData\winmgr107.exe
      Filesize

      1.8MB

      MD5

      6a634919ba02d2637cd74103c0759046

      SHA1

      96527a2abfcb82f4215dfa95a8a094448924ce97

      SHA256

      d554ea697a1d2878a38ba595fd0a533ad3caa9237842b0292f408e65deb4f6ec

      SHA512

      ced8a02352df20f162573412c706589e7d3287b551f58fb5deac47d07ccdea5231a5e24c040c225df5cbe4ffd341055a5164332002bb89b12d52f03e1b9fc435

      Download Submit

    • C:\ProgramData\winmgr107.exe
      Filesize

      1.8MB

      MD5

      6a634919ba02d2637cd74103c0759046

      SHA1

      96527a2abfcb82f4215dfa95a8a094448924ce97

      SHA256

      d554ea697a1d2878a38ba595fd0a533ad3caa9237842b0292f408e65deb4f6ec

      SHA512

      ced8a02352df20f162573412c706589e7d3287b551f58fb5deac47d07ccdea5231a5e24c040c225df5cbe4ffd341055a5164332002bb89b12d52f03e1b9fc435

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NEAS.83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3.exe
      Filesize

      1.8MB

      MD5

      51e2b3a5796a75f5c4644a27a4671d33

      SHA1

      c6802add2703df2865ec891358f02a420e7b5a57

      SHA256

      83fa082a1aea507b9c3e130c4308a7ac8c11a831aca1bac8cd8bf4ebc264bce3

      SHA512

      592c8e646aaf2c78da3f276e8c055478879532810d6076beb8606bc6ad0abbb512d19d63ab4cd0f77547ff54913ef19cdd6ecf251a4c11131be05fc7a70df02a

      Download Submit

    • memory/3312-15-0x0000000000F60000-0x0000000000F6C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3312-16-0x00000000727A0000-0x0000000072D51000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3312-18-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3312-17-0x00000000727A0000-0x0000000072D51000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3312-21-0x00000000727A0000-0x0000000072D51000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3312-23-0x0000000002D00000-0x0000000002D10000-memory.dmp

      Filesize

      64KB

      Download