Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

rrrServer.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    294s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21/07/2024, 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rrrServer.exe

  • Size

    93KB

  • MD5

    ce2af732afc7f49ed2a33fe9ca4973c0

  • SHA1

    3a595322305cd5728dee1f8e0edfcb2baca5e20d

  • SHA256

    1c8ad2d3edf85ee66ce0735cd809063d6ffa7b07ad261106621174bd25d2bcc0

  • SHA512

    edd06d5c2d79bfe53d911de64e12e4aa52669afd8e5f0f91642fd7fb3713c0d9c8c6effe93c12d22e21845b4d67954654079f9c35e0a1e1c5a0c252389c21434

  • SSDEEP

    768:2Y30YMUiu5LVMZASgeArRKm6t0XJmmm6gaeG+KXxrjEtCdnl2pi1Rz4Rk3tsGdpH:mYMputRe2Rx6koab9jEwzGi1dD9D3gS

Score
10/10
njrathackedevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

147.185.221.18:37615
Mutex

4ca7ea912d08da37869d1251c09733c8

Attributes
  • reg_key

    4ca7ea912d08da37869d1251c09733c8

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Drops startup file 4 IoCs
  • Executes dropped EXE 6 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rrrServer.exe
    "C:\Users\Admin\AppData\Local\Temp\rrrServer.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\ProgramData\server.exe
      "C:\ProgramData\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:1408
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\ProgramData\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:1912
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:4412
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2700
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    1⤵
    • Executes dropped EXE
    PID:4888
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    1⤵
    • Executes dropped EXE
    PID:692
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    1⤵
    • Executes dropped EXE
    PID:1760
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    1⤵
    • Executes dropped EXE
    PID:3164
  • C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
    C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    1⤵
    • Executes dropped EXE
    PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\server.exe
    Filesize

    93KB

    MD5

    ce2af732afc7f49ed2a33fe9ca4973c0

    SHA1

    3a595322305cd5728dee1f8e0edfcb2baca5e20d

    SHA256

    1c8ad2d3edf85ee66ce0735cd809063d6ffa7b07ad261106621174bd25d2bcc0

    SHA512

    edd06d5c2d79bfe53d911de64e12e4aa52669afd8e5f0f91642fd7fb3713c0d9c8c6effe93c12d22e21845b4d67954654079f9c35e0a1e1c5a0c252389c21434

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.log
    Filesize

    408B

    MD5

    6b062b48db9a8e149e10fefd80ab54ef

    SHA1

    1e72855f88c33b6ddce512b079bbe2e4aa2b6b57

    SHA256

    026518c621aa1e908fd3617fe1d684a6225393659345ad4f9c085fc4f6b3cf43

    SHA512

    b36007e2b0b71247979cdac1b17520cc37065c001464b4c70d642c8a059510d28ed8b57b7e4df59a43d99d69c588c1bab7b3c95c6a75c0ab98317246b56f7832

    Download Submit

  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    5B

    MD5

    f478c76bbb3174dbc7fabae62224f818

    SHA1

    bed239508bad9fcd15a9bdea1e132f62468d07d1

    SHA256

    d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a

    SHA512

    b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b

    Download Submit

  • memory/3040-0-0x00007FF9770E0000-0x00007FF9772BB000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3844-8-0x00007FF9770E0000-0x00007FF9772BB000-memory.dmp

    Filesize

    1.9MB

    Download