Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2024, 05:45

General

  • Target

    d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe

  • Size

    31KB

  • MD5

    a5ad2d1796744144d739569bb466b307

  • SHA1

    42de0164c8cbd9b6c64100de720d2e0c49ebcb77

  • SHA256

    d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9

  • SHA512

    45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9

  • SSDEEP

    384:c8LBBi/W/7mgEp87wYK2GePqZhbM2AQk93vmhm7UMKmIEecKdbXTzm9bVhcaO6fd:5W/sqoHT2A/vMHTi9bD/Qz1n

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

172.20.6.206:1992

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe
    "C:\Users\Admin\AppData\Local\Temp\d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      PID:2540
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      2⤵
      • Views/modifies file attributes
      PID:2636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

    Filesize

    1KB

    MD5

    406cb5d8884554b910ec2985051e04b9

    SHA1

    6c2caa778ff91890041c687a8f0d7bfb3496c72d

    SHA256

    6f65ea8e387ca72e00d035cd0c38570a196414187ff069577491764e1f601bd1

    SHA512

    2f8418c76878a6e1dec7fe2ce4e7f47734cd01e9a8c812995263e5f57a67adc4761923a2c00a9cffecec73b2080e8f03c6fcd07d6d18b5c0154cd2542f02a182

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

    Filesize

    1018B

    MD5

    7cbc2d82c4f90ff978979a21634aa85e

    SHA1

    cc595afa4a2f17360b23218aa002e3e31e29b408

    SHA256

    21f7e2b15bbe313f5bb49f27e5a11296c63cf26c625e2da423b1e18df0bbb5a0

    SHA512

    3c11f0c560084e7e85183a0d28463308ce9df197616c36b1a6d912657364e9f83730c82b94673c8bab4130c26c417ff668b3a19abccfb360855d2d374ed8ddff

  • \Users\Admin\AppData\Local\Temp\Payload.exe

    Filesize

    31KB

    MD5

    a5ad2d1796744144d739569bb466b307

    SHA1

    42de0164c8cbd9b6c64100de720d2e0c49ebcb77

    SHA256

    d5c62e521f44e5fc7bc80dd61a163e86405eae49dbbc9101aad6b6261b79abf9

    SHA512

    45fa09478a871a75f4650a56529632bfddf93990819c6d5212753325305a7946c631076897b13e62297136ae26db064fef701dea23453ea504b4c2517d5e74b9

  • memory/1680-0-0x0000000074110000-0x00000000746BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1680-1-0x0000000074110000-0x00000000746BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1680-2-0x0000000000310000-0x0000000000350000-memory.dmp

    Filesize

    256KB

  • memory/1680-13-0x0000000074110000-0x00000000746BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2540-14-0x0000000000500000-0x0000000000540000-memory.dmp

    Filesize

    256KB

  • memory/2540-12-0x0000000074110000-0x00000000746BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2540-15-0x0000000074110000-0x00000000746BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2540-21-0x0000000074110000-0x00000000746BB000-memory.dmp

    Filesize

    5.7MB