Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2024, 18:10

General

  • Target

    start.exe

  • Size

    93KB

  • MD5

    937286297fbc003e6a69fdc0f02ce8b0

  • SHA1

    2ebd595bbb357264649f17f8b066941f05befefb

  • SHA256

    35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf

  • SHA512

    9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4

  • SSDEEP

    1536:t8NBNvGfr2p4dTc/hDjEwzGi1dDmD4gS:t8Yfr2p4dI/Gi1dwh

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

dead-reviewer.gl.at.ply.gg:60161

Mutex

60742add55fe12a61a5fe6a3cf32e5c0

Attributes
  • reg_key

    60742add55fe12a61a5fe6a3cf32e5c0

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    41KB

    MD5

    894fb42e2eb6e43158ff6e5d7458e010

    SHA1

    f2738a56c022985c2e64cde59cb2124d3b71e58b

    SHA256

    b348604355c49691b1e6c418c85ac46bb503069bdc995bbd0b9bc36986c85f5b

    SHA512

    cc63bb26652d876e47ea5dcbfa37fdd6e1c90d791b7ed93863058b2fd93879b8292f132a17fe0ff7eb8464868d7c05f73a548a0b22151eeb660554709fb7346c

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    93KB

    MD5

    937286297fbc003e6a69fdc0f02ce8b0

    SHA1

    2ebd595bbb357264649f17f8b066941f05befefb

    SHA256

    35b46563f4d1ef02e7e2a315df8bbf0f8c2e49803856af0cf1418ea19fba58cf

    SHA512

    9c26792ef5102c7215afae12264e2eca6c2a0f9ed67d9b84918b720f4ca81b5fa2cdb59a28f4089e25abb93243a3d90e98d45dda9862286e2e074708eaf405f4

  • C:\Users\Admin\AppData\Local\Temp\server.exe

    Filesize

    90KB

    MD5

    7ebb9bb5335f2acdec954fa52a5337fa

    SHA1

    a61ffdb339dd076ceb51fa8aba498d4b6c63974a

    SHA256

    8bac326bef9044a44f45de5cfcb94584e2a3e66d229019cc64e7b087b9deb51d

    SHA512

    ae5958ff3970063248a97e732c1963a949d0effc3006a0b8520d568035d64bcf7964c7d60a6afefeea41895a86d5ab503f0e45b9f90253fbaa906ebb19690c35

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    69cf10399d0d1350c3698099796624cb

    SHA1

    d0b58b76ff065f51172971853a7da414286d9ea7

    SHA256

    a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48

    SHA512

    5e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7

  • memory/2560-16-0x0000000000910000-0x0000000000950000-memory.dmp

    Filesize

    256KB

  • memory/2560-15-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/2560-17-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/2560-56-0x0000000000910000-0x0000000000950000-memory.dmp

    Filesize

    256KB

  • memory/2560-55-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/2996-0-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/2996-14-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/2996-2-0x00000000009F0000-0x0000000000A30000-memory.dmp

    Filesize

    256KB

  • memory/2996-1-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB