Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2024, 01:03

General

  • Target

    0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe

  • Size

    93KB

  • MD5

    fcf64d897dc4dd3e3e49f23236a90f78

  • SHA1

    3ed20b44d33fbd84c3daa329d8a711841100fcc6

  • SHA256

    0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222

  • SHA512

    000c7112fff71f40b6e336e4c9d538a621f355d48103d5463727845b26db9324e773952ea5b68afa84cc52032a1b05303906939a21e27ae767c98e8603ddcb37

  • SSDEEP

    768:oY305yD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3vsGO:k5IOx6baIa9RZj00ljEwzGi1dDbD4gS

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

4.tcp.eu.ngrok.io:15904

Mutex

0898e831b8671183b1f71cc16112d0b9

Attributes
  • reg_key

    0898e831b8671183b1f71cc16112d0b9

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
    "C:\Users\Admin\AppData\Local\Temp\0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2868
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
        3⤵
        • Creates scheduled task(s)
        PID:2720
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {BD53D36B-48F1-42FC-BA8A-D345480469AC} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
      C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2632
    • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
      C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1592
    • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
      C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    93KB

    MD5

    fcf64d897dc4dd3e3e49f23236a90f78

    SHA1

    3ed20b44d33fbd84c3daa329d8a711841100fcc6

    SHA256

    0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222

    SHA512

    000c7112fff71f40b6e336e4c9d538a621f355d48103d5463727845b26db9324e773952ea5b68afa84cc52032a1b05303906939a21e27ae767c98e8603ddcb37

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    311d687faffaed10f44ea27c024986b6

    SHA1

    eece910ea8cb7aed467e2e7700f7c223d3fbbc9e

    SHA256

    608547d80bf0e4b3d9cfffd324702b4aa38db2f0bfb3db4bd517b556fdf4de2b

    SHA512

    296d2cbbbf39917b174682a73e571a98130b2fe1c2dcb7c84adbd185a0b3a81384ad556e3a88cdeaa01fbd5cb486c58c1e1dff22f77cd3e9df7315b93355272b

  • memory/1592-57-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/1592-54-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-65-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2372-62-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2512-14-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2512-0-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2512-2-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2512-1-0x0000000000CC0000-0x0000000000D00000-memory.dmp

    Filesize

    256KB

  • memory/2632-46-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2632-49-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2828-16-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2828-17-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2828-40-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB

  • memory/2828-15-0x0000000074180000-0x000000007472B000-memory.dmp

    Filesize

    5.7MB