Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1564s
  • max time network
    1567s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2024, 12:34

General

  • Target

    SERVER.exe

  • Size

    43KB

  • MD5

    f8a35dfdebb9b6ee5f1ea10a4a492bfb

  • SHA1

    eefc78908390cb6ef9604dd5649a167f254f8da7

  • SHA256

    08d4585a7c6f6f1734b0d69ac75373b3d5c346489645cfe6257ebe4a408f522b

  • SHA512

    b1bc6cbeae3a89227c4c8733fa6601720986babff129883b32a298b87fa9fb63f84f3a4d0cd45056e10f656357b4057cec4f5a29f0e6202d749d47a44dc1c329

  • SSDEEP

    384:0Zy6vHn1iDcsyEqtBfkEGCOEhGyOEtzcIij+ZsNO3PlpJKkkjh/TzF7pWnVY/gra:C9HnU4pEqtNkE5SyZuXQ/o0Y3+L

Score
10/10

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

5.251.209.159:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SERVER.exe
    "C:\Users\Admin\AppData\Local\Temp\SERVER.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Svhost
      2⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Svhost"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Svhost

    Filesize

    43KB

    MD5

    f8a35dfdebb9b6ee5f1ea10a4a492bfb

    SHA1

    eefc78908390cb6ef9604dd5649a167f254f8da7

    SHA256

    08d4585a7c6f6f1734b0d69ac75373b3d5c346489645cfe6257ebe4a408f522b

    SHA512

    b1bc6cbeae3a89227c4c8733fa6601720986babff129883b32a298b87fa9fb63f84f3a4d0cd45056e10f656357b4057cec4f5a29f0e6202d749d47a44dc1c329

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    a9a0a238eacf93892adbf8fbdb6a2eb9

    SHA1

    3587c3c41c4c312479167cd97afe15dac1724d2c

    SHA256

    b98d0d7926bfd574dae347c415e5b7f82a027d0ae169e66cf6b3d74c98dfd727

    SHA512

    a3f4b9a269f96c96f3029e81964b4dc0aac7b0ce75ea31d4af38b8d98f4caf25356c36e46fc2275c50298af97215fe189ab5c7b338aa2e2538781aabf739ed44

  • C:\Users\Admin\Desktop\ClearSave.vsx

    Filesize

    230KB

    MD5

    3a0bc6c0c7e8850d487e16249e95982c

    SHA1

    1949c6d10746dead907ecd20c715e07d22486dd5

    SHA256

    5fa4e8e78d8d5bf1029bcc12c18255cedee0763558147f6a32ab4df515d5347a

    SHA512

    60c6974c86bdfe5f215cda2079fa7bc7930184dcaae740644572d1bed896296bd1aeb9b2b1d0cddc7dae6e0b1d8b1b75f4d05a6fca8a54ee3f91bd448556bea5

  • C:\Users\Admin\Desktop\CompleteAdd.au

    Filesize

    276KB

    MD5

    049243b39f5292eb7bcb814c6aa54d25

    SHA1

    a6d47f2a6c16c82db4f885624d3a2e103a3b3b84

    SHA256

    a77f7c88c26cc44fd5b06c20bed137e2516b0311e3e2b9bb8efa55f2826e1a0f

    SHA512

    82c7583a83b148a19517455cb1acd4457e4d31b49465de07d10fc5f28cb957b9ccd7d37cfea91c328822c8c0c708673db8e7013af69d944fe39ffbcdd88ee642

  • C:\Users\Admin\Desktop\ConvertRequest.gif

    Filesize

    184KB

    MD5

    ea79d3bc3f53a1a177df3788f3187407

    SHA1

    4fe46913882b24a734eb7777d9354709125b2796

    SHA256

    2b7662cdec5dabe86f5cca5c4976bece52528e6ff5a281a3251c06aafffdc84d

    SHA512

    b7da6887fc150ab8087837fb8de0a056b846f38fc738f72d18ef82c4a21204de7ce24eef2d9895b911c08f9cc92cc24f7da379b444d49edb0ebdc77f6c876fe0

  • C:\Users\Admin\Desktop\EnableInstall.7z

    Filesize

    337KB

    MD5

    09bc3fd7369269e606e6d230468c2c56

    SHA1

    40b030d34d1c2f31c60357204ef96826d9700240

    SHA256

    6319ed841f28b79b82835b8d263c7e2d22a735da16a31b7acb5fa975ba965a61

    SHA512

    b9a6bad60415af48d88460326e493a84df7d05056f197bdc7baf54658d05a29bfa9cc83d9b0c7f39a6792016f9a56786a3416be9afba3d255e2dbe974b64ed39

  • C:\Users\Admin\Desktop\EnableUnlock.bin

    Filesize

    430KB

    MD5

    79cc691ba34f25eb9c38879947d785e2

    SHA1

    789ca8b1927c9602d2b17461c70478b4ea52b806

    SHA256

    d77d478b8d08f6a5a83006c4be2fe5108f5cccb94f4fde376447666074228858

    SHA512

    a367623c6f6d4c93f35b83c59b9f42471fb8f81668e5daca40e8fabe568b7e53c380f812f31083c2d8ed6435af40c3ea790e0fbe7cabbc7a5450cc972024923e

  • C:\Users\Admin\Desktop\GrantFind.php

    Filesize

    215KB

    MD5

    a6aa4d1643e99e1e621a9abb3e5e8d80

    SHA1

    e5eb28142c06a366db7a74e1592237856fe1d08b

    SHA256

    f899771422fcc981b06260af7c6262ade399cc26a7d53f882a9ed00a9f0abc50

    SHA512

    97e59a9215f8cf57a4eeee8a83d3d889cc373a8a07e7e8b20aeaf61f2fc162fe5074f2a4ed988c5c38fa387fba9a4386a126627f020f16519602351b02232510

  • C:\Users\Admin\Desktop\LockStop.jpeg

    Filesize

    598KB

    MD5

    eb2e8ed910e87dc82097b6f928d15549

    SHA1

    738af4cadc821644b484df27ee12e4c0ec13891b

    SHA256

    83164374797c8108e94cff0aff9adf30c2a955ecf69fcd8e30b7aea1190f7762

    SHA512

    ad9559bba1f06994513ae2a5d5ec26cae0e8bbbf03b55b2fb587cb7951c186db436b320042e59cb919fd07e793c658c282be12230f3acbcbc48474685ff03f10

  • C:\Users\Admin\Desktop\PushSet.vdw

    Filesize

    322KB

    MD5

    6bb2e7bf7f5a045851c08caeb9e9855b

    SHA1

    170b39532fe5b528da33674bb2070376986527e3

    SHA256

    9b482ff6d06483950f223923168885f77959da3053998c09fad6c49c823a81fc

    SHA512

    3f86f5e0fa86110185a37043cdbc0f9dd88e8d44a97b5bd40114abd4532985ad4d6f482f8897a787fcf42bd4831663937b3b53c47e9ca6942112cc5dc0374347

  • C:\Users\Admin\Desktop\PushUnblock.bmp

    Filesize

    291KB

    MD5

    b5f2f6b198e8d977bd461b98b4184971

    SHA1

    8f3c307184c00977d50b36bd4a56f85c2dd29dd8

    SHA256

    715d8cad11e4f33f3fbab05fc7cc1c99277f65a503e389c10ff33a6831632fa3

    SHA512

    8eee7cee9f8db26996356a73453f8a0c3387ee6b30981ac07305c73450682daabaa98a9622d75b7e791967e0ee2b60845e66b1100dc6376ba262f1a9b7efa731

  • C:\Users\Admin\Desktop\RepairBackup.mid

    Filesize

    199KB

    MD5

    66af4bdf67a7b1188c7f49b07860c611

    SHA1

    3bb9c1395a5493b23133a7d6b1953e6614423c6e

    SHA256

    6e15edbd504b4c4ecc76a7d21837a1638d3953875839e3147d94811828bf2d86

    SHA512

    66cf72f894ca19f0b6b3796a99bdb8bffe64a102c8a6fdf0bcf4dc8e4824438f4421ae86bb1d7c6ea8dfe0877d8b53fee69e20fa2f3c069a3ef27cec6e76ec12

  • C:\Users\Admin\Desktop\RestartUse.mp4

    Filesize

    261KB

    MD5

    d124b1baec8849b95a171e4aaf7c401f

    SHA1

    a1af2f03a9ca98db9c65267cab8d8f8e93c298f9

    SHA256

    d6ab7c9519aed1f9659c93d3b925158da0943bbdf8cb51ab04d1b1cb56391deb

    SHA512

    271cc7343c65104ca1fe55abcddf3e2737c8261e39e73a4b0b15c72a8c0018fc5ec890b83467d0db16d6dd3773b419c3a4cb8125a395f71c1cfbf0317079ca9b

  • C:\Users\Admin\Desktop\SearchConvertTo.jtx

    Filesize

    245KB

    MD5

    077b730d223b97c23ea2919d0f7c6eea

    SHA1

    bb9fc7c534e832f99b7d6352b50c708134ee5067

    SHA256

    caa90abe0fd75f60b4b429ca9c88cc7027682d1948f94f7f13a1ae15adb80c74

    SHA512

    03eaa2ff47ff23979662fa066b71a2d9f8122116a588f795fd55c07eb0fac01dc8b85dd2d81265227179260d6db6302161b26ccabcd3b07cff0533c2303956b1

  • C:\Users\Admin\Desktop\StepEnable.AAC

    Filesize

    399KB

    MD5

    32e0da5f60b7739432ba9bfa3da35834

    SHA1

    894760669e2c538485b4a0af6dc8a2e324d4931a

    SHA256

    68383190dcdbe352008bb047e48741f1b6000d8a0a6eb0464b9af7135664f8ab

    SHA512

    51d6f3a09185ab61fa3c3a2bdd221e41522d14a6182be748e0416b6b28ba363ec39e6b29906eb1c836507b318f60c195b5decdeafca7294f2a79666f0094ed8d

  • C:\Users\Admin\Desktop\StopRemove.dxf

    Filesize

    168KB

    MD5

    fd49fb6f75a88ca5f76e9982d413bcb8

    SHA1

    84f2136c32227b1e4e1098c21e95ba2e1f05b158

    SHA256

    b5e398506afcd359f99f5e6c2e40329d3c189acf7c7c86d3809039b726a820d5

    SHA512

    66651f956c9a49c453e9b1e3baa7bb15a7130c3dd560dd63cbe78bd960d40c6f0efd8440afadd40ce3654f345ce247aeb50f4e562ed8d99b0315113cd342c491

  • C:\Users\Admin\Desktop\TestConnect.mht

    Filesize

    153KB

    MD5

    f3f65912b163644168755633b632c319

    SHA1

    abba8631f54ab649beeb27cd33c6b09f07273fd7

    SHA256

    2c0621d1c7e698f54fcc3f057616e3c9d952ccd2df8d12d752e9bc32e8bbe72e

    SHA512

    8c064011edaf6bf2d33b757f561ac45eef8baeea92472eae2cc8d63e7782e14ceb3171143070e64d244e4d1f13b6c88828bf69707176defd5ff55e6894abeb01

  • C:\Users\Admin\Desktop\TestFind.xls

    Filesize

    414KB

    MD5

    8769e43d17dc551f0f4f9f03fcc19e88

    SHA1

    79aa06fe6a291bee16a50958ddbb731c9b3c25b1

    SHA256

    7bffd86938b43892d0aee9d1981c6b5336b80cf33a6b7e9fabfbce43bc8c61b7

    SHA512

    cc4eae491f1d9db1ad6a1983c78ca308b467b4f81ed99d8155ac06af8ca7084f47c020b0f2feccf275ca6faaf7648bcbbde3ab2d4cf4bcc28db668d702f0f912

  • C:\Users\Admin\Desktop\UnlockJoin.rar

    Filesize

    368KB

    MD5

    276164dc0d0c505115d3746e4a927990

    SHA1

    47e301c44c9f1ea190e99764c7b4b0b967a0098d

    SHA256

    b1f69a3274140cb430b57b735cd9a590269b4189981c86c27d0a870ce2263e10

    SHA512

    51d5961d09645dd52d4814f9fffc33dc948b3fa2b95251a9004b0cfb5672be0c10e0d5cf0d8751cdbb6beff5e24a6ccc3e17d138dcdc2304337e12711e5b570c

  • C:\Users\Admin\Desktop\WaitPublish.reg

    Filesize

    384KB

    MD5

    042e9ce452235a87892900b33fd1e74c

    SHA1

    01d2e091dedae27afc87f7c66202eab72601aec3

    SHA256

    7c468d1d98c595d58914ee7149185050edcc5878a1f29ad33759f7eaf15e47f9

    SHA512

    4ae29c058454b782b11768ea3c1f0e63e161aae64b4928297097066bc06200853d86bf01d2959acdbf6d1f047306f0928ba3a3476b1585e514787ac340c97bc4

  • C:\Users\Admin\Desktop\WatchConnect.edrwx

    Filesize

    353KB

    MD5

    530460d7bcb7fe55f4d3fb1f2ea8f57d

    SHA1

    56615209ffc730784e924a0a027154b7cce4f54e

    SHA256

    00aa0f6e9b051b732d7f9b7c81cae180055c38c9efc75ec3813deb1ac9274a7f

    SHA512

    4371d43bf62652c277e141ed1ad417e11c7205b8a2745d21b053be1363c13acf50dd8ef54e66d22d380161aad5b3d777d901a6793fdb690123eced259bebe168

  • memory/2480-0-0x0000000000D20000-0x0000000000D32000-memory.dmp

    Filesize

    72KB

  • memory/2480-1-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

  • memory/2480-2-0x0000000004D00000-0x0000000004D40000-memory.dmp

    Filesize

    256KB

  • memory/2480-5-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

  • memory/2736-6-0x00000000037E0000-0x00000000037E2000-memory.dmp

    Filesize

    8KB