Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5457dd383e...bN.exe

windows7-x64

10

5457dd383e...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 22:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5457dd383ee30081111dac45f5701512a5496fcdaef3e0e63caac90598a7ef7bN.exe

  • Size

    87KB

  • MD5

    670c8d22e8634e5ecc068bcc602d2670

  • SHA1

    3d0969a03dcf424aa880202721dfb4dd32c0f06b

  • SHA256

    5457dd383ee30081111dac45f5701512a5496fcdaef3e0e63caac90598a7ef7b

  • SHA512

    49e683290adac6f74ebec720e823ced2f9b2c6d20151389ffeb4337c6a258d15c213f1bf97cac0b2048fc3b90aeca1820e9c7a3b139e8a8e4852ac65011abffb

  • SSDEEP

    1536:FrbII78KHCbUv4rFjxJOEGJs2A1LEwgnY6ko:FrbIE8KibUv4rxxJemhWbko

Score
10/10
njratmohibevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

mohib

C2

172.0.0.1:5552

Mutex

17bece55e4f05b715c44e4118c9b222e

Attributes
  • reg_key

    17bece55e4f05b715c44e4118c9b222e

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5457dd383ee30081111dac45f5701512a5496fcdaef3e0e63caac90598a7ef7bN.exe
    "C:\Users\Admin\AppData\Local\Temp\5457dd383ee30081111dac45f5701512a5496fcdaef3e0e63caac90598a7ef7bN.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Roaming\explorer.exe
      "C:\Users\Admin\AppData\Roaming\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\system32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        PID:2808

Network

    No results found
  • 172.0.0.1:5552
    explorer.exe
    152 B
     3
  • 172.0.0.1:5552
    explorer.exe
    152 B
     3
  • 172.0.0.1:5552
    explorer.exe
    152 B
     3
  • 172.0.0.1:5552
    explorer.exe
    152 B
     3
  • 172.0.0.1:5552
    explorer.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\explorer.exe
    Filesize

    87KB

    MD5

    670c8d22e8634e5ecc068bcc602d2670

    SHA1

    3d0969a03dcf424aa880202721dfb4dd32c0f06b

    SHA256

    5457dd383ee30081111dac45f5701512a5496fcdaef3e0e63caac90598a7ef7b

    SHA512

    49e683290adac6f74ebec720e823ced2f9b2c6d20151389ffeb4337c6a258d15c213f1bf97cac0b2048fc3b90aeca1820e9c7a3b139e8a8e4852ac65011abffb

    Download Submit

  • memory/2104-0-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2104-1-0x00000000005C0000-0x00000000005CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2104-2-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2104-3-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2104-11-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2276-9-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2276-10-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2276-12-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

    Filesize

    9.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.