Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/01/2024, 14:52

General

  • Target

    Server.exe

  • Size

    93KB

  • MD5

    90ac8a759ee08383aae9e92c55550701

  • SHA1

    acb356c4b297f8072e744955a35b52ffb1f403d2

  • SHA256

    d1e1a276ad4820f0472c8acac3f9d17d3bcd64bbe35f5c38148533f1f5b14603

  • SHA512

    19363a421ea763a0e5befab5134fdb90d8eee4a45ede263ca4abbd92c71a454c2cab4b9dca32d1480bedc335df79830795580d93f33afae2d364b51310e92fdd

  • SSDEEP

    1536:h+IYW6qbkW8aVpO1ARkoojEwzGi1dDUDxgS:h+88aVpO2SCi1dqu

Score
10/10

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\server.exe
      "C:\Windows\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:4368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\app

    Filesize

    5B

    MD5

    410c3c7c3e0376e2f9b228980b58d042

    SHA1

    3aec3fa12cd88edca90fdc72a0d25cd071dc2052

    SHA256

    5c272042cede2596555e6b6f2c36857b015ccab9f34affbc63d6b000ccd08391

    SHA512

    2a1e382b045d59580271cb05b521d0c6e99772be7cd5ce38d3e5e1997a4cb9d3fe5d424a24c67383a5a2d0002d4a2194f71e1604fa9ff0199944f8cee9b26a57

  • C:\Windows\server.exe

    Filesize

    93KB

    MD5

    90ac8a759ee08383aae9e92c55550701

    SHA1

    acb356c4b297f8072e744955a35b52ffb1f403d2

    SHA256

    d1e1a276ad4820f0472c8acac3f9d17d3bcd64bbe35f5c38148533f1f5b14603

    SHA512

    19363a421ea763a0e5befab5134fdb90d8eee4a45ede263ca4abbd92c71a454c2cab4b9dca32d1480bedc335df79830795580d93f33afae2d364b51310e92fdd

  • memory/2640-0-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-1-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-2-0x0000000000E50000-0x0000000000E60000-memory.dmp

    Filesize

    64KB

  • memory/2640-16-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

  • memory/4428-13-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

  • memory/4428-14-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4428-15-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

  • memory/4428-54-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

  • memory/4428-55-0x0000000074C80000-0x0000000075231000-memory.dmp

    Filesize

    5.7MB

  • memory/4428-56-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB