Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

9e21262444...ef.exe

windows7-x64

10

9e21262444...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 19:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe

  • Size

    270KB

  • MD5

    92224916dece7e83fe34e50756dc866b

  • SHA1

    ce1221fd9fd4f2373d1b2a69bcff3480da35ad23

  • SHA256

    9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef

  • SHA512

    f7beb58ae58662eba921e3f0c82b225417f3ab2970ae58050630fd336fddc64b68350dc33ca99405157fa50711f08155dac590e1fe6cdf39b6a81fe3898424be

  • SSDEEP

    6144:apFZywoS9KT/qXAtzF5jaaFqgDfZstH1Sb:8ZdPKXjaaFqist4b

Score
10/10
modiloadernjratاختراق الواي فايdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

اختراق الواي فاي

C2

hamza102.no-ip.biz:6543

Mutex

3e4e59d01ea7e23f9eec413d2bd64504

Attributes
  • reg_key

    3e4e59d01ea7e23f9eec413d2bd64504

  • splitter

    |'|'|

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • ModiLoader Second Stage 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
    "C:\Users\Admin\AppData\Local\Temp\9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2884
    • C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe
      "C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Extracted\Wifi.exe
        "C:\Extracted\Wifi.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
          dw20.exe -x -s 384
          4⤵
            PID:2828

    Network

    • flag-us
      DNS
      hamza102.no-ip.biz
      Server.exe
      Remote address:
      8.8.8.8:53
      Request
      hamza102.no-ip.biz
      IN A
      Response
    No results found
    • 8.8.8.8:53
      hamza102.no-ip.biz
      dns
      Server.exe
      64 B
       124 B
       1
      1

      DNS Request

      hamza102.no-ip.biz

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Event Triggered Execution

    1
    T1546

    Netsh Helper DLL

    1
    T1546.007

    Defense Evasion

    Impair Defenses

    1
    T1562

    Disable or Modify System Firewall

    1
    T1562.004

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Extracted\Wifi.exe
      Filesize

      69KB

      MD5

      d890349dbb670a7fcd7e293f5e55b6a5

      SHA1

      288ae6a90efad5da83dfa4fd3ce0d3981e267a96

      SHA256

      fd25a7082c8623f4b2397ae4d090d1bd441fee5331b064ff002af3ec13bd77fa

      SHA512

      b68c3a89482180f1bcc6b21f66e850e90ced6308d5e5618e33a09ff818686fc4c61706d28edefa44742dedc75630a3bee7bd7075828dae72916b82e29bd976aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sfx.ini
      Filesize

      226B

      MD5

      6a313f19181d97d006898ad025d4ef6a

      SHA1

      c090484def4c90eee1d0c974c38940c4f669d771

      SHA256

      2cfc6311c0e60140a2b804b3bf5ebe2f6eac7e56c3c7c9cab97eba1e361178a6

      SHA512

      2ed531365117e9e263ace01e8be9780bd9644e3fded528e8508172d08ead753152aff690592afc8143031a62d21537382735c9a1bce795a201873b82eda02021

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      23KB

      MD5

      2361cd0f4e2639717d64832700337e5b

      SHA1

      990a35cc7012d4b6c3eb7bb7c167e113349ab6bd

      SHA256

      43357bcafd427aaf96fdf3495bf38ba402090b7ac9b46ba13520381f5027d1ad

      SHA512

      9d55edcc78e7547aea6f15b9439b6140adac6df2b1f3f0e45333a2337a9dffc9522525b1df27e25cfd56f451d3dcd8f44f5cd84a743fefc046467e170dbf2971

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe
      Filesize

      217KB

      MD5

      27a51cbe1f0290b27b5e936356446b58

      SHA1

      cfc304447b7f07774ede994ccecc9db69a95b978

      SHA256

      8128299e7b54c80d097ea7ee65a47d78bc45a5ff99f98fe59195d58fd94dceed

      SHA512

      1ded2a9b56565547b0280c8ef04db474e50adf3b030bbf12df88514781fb146afc38d0e87c66756bd654c5741c4f49ddacd041828a73213abcbf938edfb64112

      Download Submit

    • memory/1728-44-0x0000000001E30000-0x0000000001E70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1728-45-0x0000000001E30000-0x0000000001E70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3000-15-0x0000000000400000-0x000000000044B000-memory.dmp

      Filesize

      300KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.