Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
16/07/2024, 00:43
240716-a232nsxckr 1016/07/2024, 00:41
240716-a16q6szdmc 1016/07/2024, 00:38
240716-azamcazcpc 1015/07/2024, 20:46
240715-zkpv6a1dlh 10Analysis
-
max time kernel
1799s -
max time network
1796s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
16/07/2024, 00:43
General
-
Target
0928f36599b47ba66582d1f5a5cb6fb0N.exe
-
Size
23KB
-
MD5
0928f36599b47ba66582d1f5a5cb6fb0
-
SHA1
bef519e4db670bbea44d8cba6cbf104050ae551d
-
SHA256
7833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0
-
SHA512
edf35a5457744d7792c8d4ea5d99e8e3beecef2a516a18f0296891d6f4baf3bf543cf00ba63a11aac5ad18af2567aa8781e840e339d80097d8e7a2e837b8ca3e
-
SSDEEP
384:/oWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZI2:Y7O89p2rRpcnuY
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.1.11:5552
7657c14284185fbd3fb108b43c7467ba
-
reg_key
7657c14284185fbd3fb108b43c7467ba
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0928f36599b47ba66582d1f5a5cb6fb0N.exe"C:\Users\Admin\AppData\Local\Temp\0928f36599b47ba66582d1f5a5cb6fb0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD50928f36599b47ba66582d1f5a5cb6fb0
SHA1bef519e4db670bbea44d8cba6cbf104050ae551d
SHA2567833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0
SHA512edf35a5457744d7792c8d4ea5d99e8e3beecef2a516a18f0296891d6f4baf3bf543cf00ba63a11aac5ad18af2567aa8781e840e339d80097d8e7a2e837b8ca3e
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB