Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    115s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10/09/2024, 22:22

General

  • Target

    d0e8c16e6646f3eaaf78d273139f2df0N.exe

  • Size

    116KB

  • MD5

    d0e8c16e6646f3eaaf78d273139f2df0

  • SHA1

    6e6758b239b8cab23e04d208c0d3702cfb7c8b9b

  • SHA256

    40c7945ff7ba7aad8001b48f637996eb473dab74d825e87f7c4494a162af2254

  • SHA512

    a620c5c3df8351dba88308d3334ea43808566dcdfc45327655ef68cbccb61de5198727db56a41badd97d06b5c6b38c82b3ff85f4e88f301634f81009b84709b0

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIR:P5eznsjsguGDFqGZ2rDIR

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0e8c16e6646f3eaaf78d273139f2df0N.exe
    "C:\Users\Admin\AppData\Local\Temp\d0e8c16e6646f3eaaf78d273139f2df0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:324
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

    Filesize

    1KB

    MD5

    732cfeb76b91c4d13978a00b8c666ed7

    SHA1

    0c57f76436701f4d51397d1d4e86337dd9ab1964

    SHA256

    9fab9fc0a1da813e6ddb93904c1fcfa6546cfbe70747ff8468ddd14d2552dbd2

    SHA512

    2b8618e823355a4fa646d51a753f67d34bd7b14367d46fa187f2294af7c2794c6cdee664ea570862757a5f1c99dfcb67a7d4ddf8389d07dd8d696fe55aa538bd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e6a1577846952c5ed5ccbc115c36024f

    SHA1

    f79fbc5a2e0cbf742da0268e04e3fb69d46903b7

    SHA256

    31f7ab29d25278075804e0fac9029a90d008317a4ace90dafca83ecd60b23ab5

    SHA512

    53413dd48a7cd086f6fa11b38b68b5e84cc1f2586f4e66a41814c04a2fb6296a9d1a6344aa2f62f55b986a53dea4a54c2a0e9f1e7c89d0c19a64eef67b3a35f6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c8feb5f8d0a3a1743ab3e92a83f5fd8a

    SHA1

    b3370d95c33077ed8d7e46236c71385d2a7e40c9

    SHA256

    9b1754e153775be3eb096814d42b8f8ebaba8ae14c85af7782738f08d500f870

    SHA512

    598978e3f9d286ba61dca12414bcfd3626707c3538cd5f905a993b8bdd2d10f73c8404754fb3e31f5939cc9bb6f4d5c9b255a479c61607a8b61f0bfba172f54b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    39c9ba379f65dc104c9c620105fa09bb

    SHA1

    8fb9a1ca8705f064713a8d55cf3443d9d2fd554d

    SHA256

    b5fae5c882c3a97631bc5d52b9744dcfcbb89ff56f0c0a3f9cf4343bde0b8b52

    SHA512

    e037a7a5459a9a652fe8bb355628b05b15aabea9c58355b8923b294effd4fa2365d283f109f1df32d70377d6cba1abd09e9773f9590ff2cf1a1425a0596d2ad8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

    Filesize

    252B

    MD5

    b02b2c1864c44772bda3b8c8c8de4e55

    SHA1

    40eb349da609dc9accd4e2aa5a53787c720b50de

    SHA256

    73ccdf14e5d6a9e2988f692f333f2e7a10be574ac2f526b9cf3de097a362aa87

    SHA512

    c8fade8f78c07125395304282d890de3806cb0b595dcad6fdf94b88ab42e09c7fc35004a69305f580fbd101e7fffe31789759b007050f5e48fb151a700295a4c

  • C:\Users\Admin\AppData\Local\Temp\Cab566C.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar568E.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    116KB

    MD5

    056c286d15cba6daf31ea3df3d2f9d8d

    SHA1

    dccfec60fea93851bec8a43b9cf436a0cc97d852

    SHA256

    46f0b0886e3a648e32355270f7816054fb90acad4c38be31b2facf2a8d5c0a44

    SHA512

    20ec8f081bfbd84b670695be102d37ff5416dc8cb58a444aabb744e89e14223e709408e0deb9f6de4d2e70f8b7b17f651e4bc8d13bb393075683827651671174

  • memory/2188-180-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2188-170-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2188-0-0x0000000074351000-0x0000000074352000-memory.dmp

    Filesize

    4KB

  • memory/2188-8-0x0000000074350000-0x00000000748FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2868-349-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2868-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2868-346-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB