Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

17/01/2024, 13:33

240117-qtzbhsgge7 10

17/01/2024, 13:28

240117-qq6anagfh5 10

Analysis

  • max time kernel
    59s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2024, 13:28

General

  • Target

    Payload2024.exe

  • Size

    27KB

  • MD5

    248679d7c4c333b7b2fef2c0f092327b

  • SHA1

    d5b18fa3fd68935ab01b25db2813250b9d121dbd

  • SHA256

    239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756

  • SHA512

    27efe089952678727053fffcfe4212d330f55ec5a3eee0f7122a9deeff3dee92600db2f3238ae1d11da1d6d8e0a9bc1e48c02b9b8a71ee3129eff5d11ac06dc9

  • SSDEEP

    384:0LUl2J1dJFKnO4YLJ5zeZsL4E7O4/ChZGPjdx4kM0AQk93vmhm7UMKmIEecKdbXi:ipJFPleeHU0A/vMHTi9bD

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

C2

soon-lp.at.ply.gg:17209

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payload2024.exe
    "C:\Users\Admin\AppData\Local\Temp\Payload2024.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Roaming\Payload.exe
      "C:\Users\Admin\AppData\Roaming\Payload.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        3⤵
        • Drops startup file
        • Views/modifies file attributes
        PID:4380
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        3⤵
        • Views/modifies file attributes
        PID:4488
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
      2⤵
      • Views/modifies file attributes
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

    Filesize

    1KB

    MD5

    1cf416d26fcaa9ac44cde97b4071c2c1

    SHA1

    2f49d770b79359232d9b8ad9609bcab9bc8489a1

    SHA256

    298bf368286c7dfa7b8cd2774d93811fea422c38b37b79c4049fb38fbfa49da0

    SHA512

    d4a92f2051d7bb5ec5dfd5cce038202cab2a75fad83238c914ce0e1d4db66b36bd2b8302451035e6e9cbf8160965e180f91af0ffea9772c28e0a4aa9a4171bcf

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

    Filesize

    1KB

    MD5

    b565b6f7a706fa0e6f1a618d53af840a

    SHA1

    a2dcefc8f9bf6ffc89c3e9dba9ba582a4dc0c47f

    SHA256

    e2be89378f1677a386e8641949f4af149db4947d04ff320e256a5c0b39d683cb

    SHA512

    11755649cf70808de39fd6f3a20559feebad8e7344bbd5c10de0d285ded97d8570c9e01b2834eb80c6e3179abc6bec2d9bbd4dc4e24dd94fb981fd6c9caf28fe

  • C:\Users\Admin\AppData\Roaming\Payload.exe

    Filesize

    27KB

    MD5

    248679d7c4c333b7b2fef2c0f092327b

    SHA1

    d5b18fa3fd68935ab01b25db2813250b9d121dbd

    SHA256

    239e6fe1ce713f9107e88f9b06877e744bea245a699e837e864a6d2b065e6756

    SHA512

    27efe089952678727053fffcfe4212d330f55ec5a3eee0f7122a9deeff3dee92600db2f3238ae1d11da1d6d8e0a9bc1e48c02b9b8a71ee3129eff5d11ac06dc9

  • memory/1408-16-0x0000000075040000-0x00000000757F0000-memory.dmp

    Filesize

    7.7MB

  • memory/1408-5-0x0000000006320000-0x00000000068C4000-memory.dmp

    Filesize

    5.6MB

  • memory/1408-0-0x0000000000A90000-0x0000000000A9E000-memory.dmp

    Filesize

    56KB

  • memory/1408-2-0x00000000054D0000-0x000000000556C000-memory.dmp

    Filesize

    624KB

  • memory/1408-1-0x0000000075040000-0x00000000757F0000-memory.dmp

    Filesize

    7.7MB

  • memory/2956-15-0x0000000075040000-0x00000000757F0000-memory.dmp

    Filesize

    7.7MB

  • memory/2956-22-0x0000000005370000-0x0000000005380000-memory.dmp

    Filesize

    64KB

  • memory/2956-24-0x00000000054C0000-0x0000000005552000-memory.dmp

    Filesize

    584KB

  • memory/2956-25-0x00000000054B0000-0x00000000054BA000-memory.dmp

    Filesize

    40KB

  • memory/2956-26-0x00000000056C0000-0x0000000005726000-memory.dmp

    Filesize

    408KB

  • memory/2956-27-0x0000000075040000-0x00000000757F0000-memory.dmp

    Filesize

    7.7MB

  • memory/2956-28-0x0000000005370000-0x0000000005380000-memory.dmp

    Filesize

    64KB