Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ad21777c95...fN.exe

windows7-x64

10

ad21777c95...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 07:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad21777c9591c33b563a53115f9db9461899805dfe9c73a690463074fa9f12cfN.exe

  • Size

    128KB

  • MD5

    13c2a0a9fbc1649da8c50ce26b292440

  • SHA1

    958b633948884bebdaaec097495954ea181b5702

  • SHA256

    ad21777c9591c33b563a53115f9db9461899805dfe9c73a690463074fa9f12cf

  • SHA512

    efa1527c3c14934124299cea35f6b7822c2cf4ec04d8872b275f4e68370618c6323095df58a403cbd4d61866f8f8c7997da13ef42ab40f7e1caf8b63c5254648

  • SSDEEP

    3072:H42ScHsJXC/Uij87CW70PX9akYAMTxLkwJgt1aedys9jjYLde:Y2SdcJDak9YxLVgueXx

Score
10/10
njratvip@dump evasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

VIP@DUMP

C2

volkatv500.sytes.net:999

Mutex

e0bb29bc288c4cac846ed6aff410e0c6

Attributes
  • reg_key

    e0bb29bc288c4cac846ed6aff410e0c6

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad21777c9591c33b563a53115f9db9461899805dfe9c73a690463074fa9f12cfN.exe
    "C:\Users\Admin\AppData\Local\Temp\ad21777c9591c33b563a53115f9db9461899805dfe9c73a690463074fa9f12cfN.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Roaming\winhelp.bat
      "C:\Users\Admin\AppData\Roaming\winhelp.bat"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\system32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winhelp.bat" "winhelp.bat" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:2772

Network

  • flag-us
    DNS
    volkatv500.sytes.net
    winhelp.bat
    Remote address:
    8.8.8.8:53
    Request
    volkatv500.sytes.net
    IN A
    Response
    volkatv500.sytes.net
    IN A
    197.206.111.137
  • flag-us
    DNS
    volkatv500.sytes.net
    winhelp.bat
    Remote address:
    8.8.8.8:53
    Request
    volkatv500.sytes.net
    IN A
    Response
    volkatv500.sytes.net
    IN A
    197.206.111.137
  • 197.206.111.137:999
    volkatv500.sytes.net
    winhelp.bat
    152 B
     3
  • 197.206.111.137:999
    volkatv500.sytes.net
    winhelp.bat
    152 B
     3
  • 197.206.111.137:999
    volkatv500.sytes.net
    winhelp.bat
    152 B
     3
  • 197.206.111.137:999
    volkatv500.sytes.net
    winhelp.bat
    152 B
     3
  • 197.206.111.137:999
    volkatv500.sytes.net
    winhelp.bat
    152 B
     3
  • 8.8.8.8:53
    volkatv500.sytes.net
    dns
    winhelp.bat
    66 B
     82 B
     1
    1

    DNS Request

    volkatv500.sytes.net

    DNS Response

    197.206.111.137

  • 8.8.8.8:53
    volkatv500.sytes.net
    dns
    winhelp.bat
    66 B
     82 B
     1
    1

    DNS Request

    volkatv500.sytes.net

    DNS Response

    197.206.111.137

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\winhelp.bat
    Filesize

    128KB

    MD5

    13c2a0a9fbc1649da8c50ce26b292440

    SHA1

    958b633948884bebdaaec097495954ea181b5702

    SHA256

    ad21777c9591c33b563a53115f9db9461899805dfe9c73a690463074fa9f12cf

    SHA512

    efa1527c3c14934124299cea35f6b7822c2cf4ec04d8872b275f4e68370618c6323095df58a403cbd4d61866f8f8c7997da13ef42ab40f7e1caf8b63c5254648

    Download Submit

  • memory/2532-0-0x000007FEF5CAE000-0x000007FEF5CAF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-1-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2532-2-0x00000000002B0000-0x00000000002BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2532-3-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2532-9-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2584-11-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2584-10-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2584-13-0x000007FEF59F0000-0x000007FEF638D000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.