Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

35de7fceb1...7e.exe

windows7-x64

10

35de7fceb1...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2024, 19:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35de7fceb13baa1d78b2480c70715c3643a6b20d8d40debee3bb57a208e2797e.exe

  • Size

    50KB

  • MD5

    48b54653b2dc586063e746379de09f8a

  • SHA1

    99f14a1ecbe248af25b2a0f710614a1948469978

  • SHA256

    35de7fceb13baa1d78b2480c70715c3643a6b20d8d40debee3bb57a208e2797e

  • SHA512

    39df43ccd72d0ca11e312e6e3ef973ae56f9938d1163ac4e6839e411d4617d7f0887270a85710f9b62887f475b0497eeacc8eeef2d522f26c445fed1d1ceef3b

  • SSDEEP

    768:ifQUIH5hyt4IBNXT6EOad1yPMXZwpJbb2zxxO5oaqHhisfvaMQmIDUu0tiTejWSh:OQRHg3hOoXkKZisfQVkbjWr

Score
10/10
njratmybotdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

192.168.0.108:2503

Mutex

69b2ff7c700ce93bcdefa60d17081a7c

Attributes
  • reg_key

    69b2ff7c700ce93bcdefa60d17081a7c

  • splitter

    Y262SUCZ4UJJ

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\35de7fceb13baa1d78b2480c70715c3643a6b20d8d40debee3bb57a208e2797e.exe
    "C:\Users\Admin\AppData\Local\Temp\35de7fceb13baa1d78b2480c70715c3643a6b20d8d40debee3bb57a208e2797e.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Roaming\CLIENT.EXE
      "C:\Users\Admin\AppData\Roaming\CLIENT.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1604

Network

    No results found
  • 192.168.0.108:2503
    WindowsServices.exe
    152 B
     3
  • 192.168.0.108:2503
    WindowsServices.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\TLAUNCHER.LNK
    Filesize

    1KB

    MD5

    eccbaff7fcf2c63605625d3a98f78cae

    SHA1

    65db59676d3916a8f6c5298b1ca4c97642a8563d

    SHA256

    7ebbbbb985df5f8a1b9e123b095b2a97068ad266b943ca206f1ae34e06533be4

    SHA512

    4fb5b2a0974dbb9f20f69dd381a84bb7aeae79c65c70c64a76050350f2ae2e309d9ba597238a4e200b470472e5e4cf98c7827796abe0f0ca755f254e060c56b9

    Download Submit

  • \Users\Admin\AppData\Roaming\CLIENT.EXE
    Filesize

    31KB

    MD5

    73ddd19456abb03bacf089d9bc17bf17

    SHA1

    03e128f72e884e1ff40748326e295562bad6592f

    SHA256

    4b5f724c675dedae912f8e4ae74589a5daea1d6b720901674322e9e537d4366a

    SHA512

    34e1debdfdbfa6c4c7a81f0c6788bcff4d2b4e00391d1063eb8705391b0bc720103ea9e2a90e30d1bd2747c661e3fcb49ec1e66cfe12cee6064fe301db34101f

    Download Submit

  • memory/2712-8-0x0000000074001000-0x0000000074002000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2712-19-0x0000000074000000-0x00000000745AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-20-0x0000000074000000-0x00000000745AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-28-0x0000000074000000-0x00000000745AB000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.