Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Sound Blas...ix.exe

windows7-x64

Sound Blas...ix.exe

windows10-2004-x64

Analysis

  • max time kernel
    381s
  • max time network
    381s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    07/07/2024, 13:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Sound Blaster creative set-up.fix.exe

  • Size

    202KB

  • MD5

    69e54877c8aee907efaad8e96ffa8bad

  • SHA1

    fa005fa2f233fb07c0a58b06b0c88610164097a8

  • SHA256

    83b491f66cbcc39a71daff3cb9f2e6228a77959aebdf6a87b4c95f884de588a4

  • SHA512

    db4d864dd8ae525b48941491ff257e8eee64ba93cdf1e9fd96a21d124bc01dfe660fe9451a87cb306964c2966854a0626d5f777bb35aec47c83c5956f2f4b917

  • SSDEEP

    3072:9nx83hRxFJiN09QcRD21e+/2EIjcvlCHQnDPvrcUPn6+byteiYD8+YdzNrj:FCxiN0f1fcvlCwnDbvytDYo7

Score
10/10
njratevasionexecutionpersistencetrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sound Blaster creative set-up.fix.exe
    "C:\Users\Admin\AppData\Local\Temp\Sound Blaster creative set-up.fix.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\ProgramData\dllhost.exe
      "C:\ProgramData\dllhost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2612
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc query windefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Windows\SysWOW64\sc.exe
          sc query windefend
          4⤵
          • Launches sc.exe
          PID:2604
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop windefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\sc.exe
          sc stop windefend
          4⤵
          • Launches sc.exe
          PID:1724
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete windefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2156
        • C:\Windows\SysWOW64\sc.exe
          sc delete windefend
          4⤵
          • Launches sc.exe
          PID:2304
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /f /im svchost.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2144
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im svchost.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:332
      • C:\Users\Admin\AppData\Local\Temp\4f6d82eb10a040658aa7ca149b72ce8f.exe
        "C:\Users\Admin\AppData\Local\Temp\4f6d82eb10a040658aa7ca149b72ce8f.exe"
        3⤵
        • Executes dropped EXE
        PID:2164
      • C:\Users\Admin\AppData\Local\Temp\0435cf9f226d4ab7a1eacdfc7f64050a.exe
        "C:\Users\Admin\AppData\Local\Temp\0435cf9f226d4ab7a1eacdfc7f64050a.exe"
        3⤵
        • Executes dropped EXE
        PID:1584
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:1952
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs
      1⤵
        PID:2512
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        1⤵
          PID:1068
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
          1⤵
            PID:1048
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs
            1⤵
              PID:2484
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs
              1⤵
                PID:2256
              • C:\Windows\system32\LogonUI.exe
                "LogonUI.exe" /flags:0x1
                1⤵
                  PID:908
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x1
                  1⤵
                    PID:844

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\dllhost.exe
                    Filesize

                    202KB

                    MD5

                    69e54877c8aee907efaad8e96ffa8bad

                    SHA1

                    fa005fa2f233fb07c0a58b06b0c88610164097a8

                    SHA256

                    83b491f66cbcc39a71daff3cb9f2e6228a77959aebdf6a87b4c95f884de588a4

                    SHA512

                    db4d864dd8ae525b48941491ff257e8eee64ba93cdf1e9fd96a21d124bc01dfe660fe9451a87cb306964c2966854a0626d5f777bb35aec47c83c5956f2f4b917

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\0435cf9f226d4ab7a1eacdfc7f64050a.exe
                    Filesize

                    997KB

                    MD5

                    28aaac578be4ce06cb695e4f927b4302

                    SHA1

                    880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

                    SHA256

                    8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

                    SHA512

                    068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\4f6d82eb10a040658aa7ca149b72ce8f.exe
                    Filesize

                    961KB

                    MD5

                    4723c3c04794c09bbcb6e03f48440f15

                    SHA1

                    a5ef69c9dc9eacc2099d9c239146a0e360f1837f

                    SHA256

                    0d635f035cdb2fd3afda768cd631481ff980957b614a3cf3fca6c592c6c06470

                    SHA512

                    5b68e1cd3d6bb85b5f449014cc288423faea76ff0ecf8834047dac1ed6e84c4d858a7ed23abe3625d781391f636893736bf5c00474ad0995e75611c1557c5c4a

                    Download Submit

                  • memory/2232-0-0x0000000074E91000-0x0000000074E92000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2232-1-0x0000000074E90000-0x000000007543B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2232-2-0x0000000074E90000-0x000000007543B000-memory.dmp

                    Filesize

                    5.7MB

                    Download

                  • memory/2232-10-0x0000000074E90000-0x000000007543B000-memory.dmp

                    Filesize

                    5.7MB

                    Download