Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
09/10/2024, 18:18 UTC
General
-
Target
EMANNN.exe
-
Size
55KB
-
MD5
6bc49cb82d9f92f4a70cf4c84265c26f
-
SHA1
87f69c48c84f9a701b6800762c69c95dfd181273
-
SHA256
925364c585429e6ae064c4db9c7bf30db036debed7b1f403efc60ea6990da4bf
-
SHA512
3d1f055ec378e244c239debc9832bbd6f56a1b3cb27fa009380a728e769ad870272d90cc940d269a3f985c333380b43eedb4c5d1fbe8be57bd67749bc9419d0c
-
SSDEEP
1536:k+mIDn/NOryWhI0DtwsNMDmXExI3pmjm:SIDnE+v0DtwsNMDmXExI3pm
Score
10/10
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\EMANNN.exe"C:\Users\Admin\AppData\Local\Temp\EMANNN.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\EMANNN.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SysWOW64\PING.EXEping 0 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefaec9758,0x7fefaec9768,0x7fefaec97782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1440 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1432 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3324 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3080 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3628 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3852 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2824 --field-trial-handle=1332,i,9755490034395616860,6209982669773475762,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
-
DNSwww.google.comRemote address:8.8.8.8:53Requestwww.google.comIN AResponsewww.google.comIN A142.250.200.36 -
GEThttps://www.google.com/async/ddljson?async=ntp:2Remote address:142.250.200.36:443RequestGET /async/ddljson?async=ntp:2 HTTP/2.0
host: www.google.com
sec-fetch-site: none
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
GEThttps://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0Remote address:142.250.200.36:443RequestGET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/2.0
host: www.google.com
x-client-data: COPjygE=
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
GEThttps://www.google.com/async/newtab_promosRemote address:142.250.200.36:443RequestGET /async/newtab_promos HTTP/2.0
host: www.google.com
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: empty
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
DNSmaps-having.gl.at.ply.ggRemote address:8.8.8.8:53Requestmaps-having.gl.at.ply.ggIN AResponsemaps-having.gl.at.ply.ggIN A147.185.221.18
-
DNSogads-pa.googleapis.comRemote address:8.8.8.8:53Requestogads-pa.googleapis.comIN AResponseogads-pa.googleapis.comIN A142.250.180.10ogads-pa.googleapis.comIN A142.250.187.234ogads-pa.googleapis.comIN A172.217.169.10ogads-pa.googleapis.comIN A216.58.201.106ogads-pa.googleapis.comIN A142.250.200.10ogads-pa.googleapis.comIN A216.58.213.10ogads-pa.googleapis.comIN A142.250.178.10ogads-pa.googleapis.comIN A142.250.187.202ogads-pa.googleapis.comIN A142.250.179.234ogads-pa.googleapis.comIN A142.250.200.42ogads-pa.googleapis.comIN A216.58.204.74ogads-pa.googleapis.comIN A172.217.16.234
-
DNSapis.google.comRemote address:8.8.8.8:53Requestapis.google.comIN AResponseapis.google.comIN CNAMEplus.l.google.complus.l.google.comIN A142.250.200.46
-
OPTIONShttps://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncDataRemote address:142.250.180.10:443RequestOPTIONS /$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData HTTP/2.0
host: ogads-pa.googleapis.com
accept: */*
access-control-request-method: POST
access-control-request-headers: content-type,x-goog-api-key,x-user-agent
origin: chrome-untrusted://new-tab-page
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
GEThttps://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.7LPvRDgzcqA.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo9wdgl3D0Cd5pn6O1gZXHwWDc_oTg/cb=gapi.loaded_0Remote address:142.250.200.46:443RequestGET /_/scs/abc-static/_/js/k=gapi.gapi.en.7LPvRDgzcqA.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo9wdgl3D0Cd5pn6O1gZXHwWDc_oTg/cb=gapi.loaded_0 HTTP/2.0
host: apis.google.com
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
sec-fetch-site: cross-site
sec-fetch-mode: no-cors
sec-fetch-dest: script
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
DNSplay.google.comRemote address:8.8.8.8:53Requestplay.google.comIN AResponseplay.google.comIN A172.217.169.46
-
POSThttps://play.google.com/log?format=json&hasfast=trueRemote address:172.217.169.46:443RequestPOST /log?format=json&hasfast=true HTTP/2.0
host: play.google.com
content-length: 1435
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-platform: "Windows"
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
content-type: application/x-www-form-urlencoded;charset=UTF-8
accept: */*
origin: chrome-untrusted://new-tab-page
sec-fetch-site: cross-site
sec-fetch-mode: cors
sec-fetch-dest: empty
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-
142.250.200.36:443https://www.google.com/async/newtab_promostls, http2
HTTP Request
GET https://www.google.com/async/ddljson?async=ntp:2HTTP Request
GET https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0HTTP Request
GET https://www.google.com/async/newtab_promos -
142.250.200.36:443www.google.comtls, http2
-
142.250.200.36:443www.google.comtls, http2
-
147.185.221.18:52531maps-having.gl.at.ply.gg
-
142.250.180.10:443https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncDatatls, http2
HTTP Request
OPTIONS https://ogads-pa.googleapis.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData -
142.250.200.46:443https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.7LPvRDgzcqA.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo9wdgl3D0Cd5pn6O1gZXHwWDc_oTg/cb=gapi.loaded_0tls, http2
HTTP Request
GET https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.7LPvRDgzcqA.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo9wdgl3D0Cd5pn6O1gZXHwWDc_oTg/cb=gapi.loaded_0 -
172.217.169.46:443https://play.google.com/log?format=json&hasfast=truetls, http2
HTTP Request
POST https://play.google.com/log?format=json&hasfast=true
-
8.8.8.8:53www.google.comdns
DNS Request
www.google.com
DNS Response
142.250.200.36
-
8.8.8.8:53maps-having.gl.at.ply.ggdns
DNS Request
maps-having.gl.at.ply.gg
DNS Response
147.185.221.18
-
8.8.8.8:53ogads-pa.googleapis.comdns
DNS Request
ogads-pa.googleapis.com
DNS Response
142.250.180.10142.250.187.234172.217.169.10216.58.201.106142.250.200.10216.58.213.10142.250.178.10142.250.187.202142.250.179.234142.250.200.42216.58.204.74172.217.16.234
-
8.8.8.8:53apis.google.comdns
DNS Request
apis.google.com
DNS Response
142.250.200.46
-
142.250.180.10:443ogads-pa.googleapis.comhttps
-
8.8.8.8:53play.google.comdns
DNS Request
play.google.com
DNS Response
172.217.169.46
-
224.0.0.251:5353
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
4KB
MD5cd1bf169833e653c01c112e62d80fbe3
SHA1018f04efb02b08e14c7774fe302312a641a52a3f
SHA256db0a2d5d8d91c68069d0a1fc6d84c51ae94f04f9d625baef2f0c99b372a7af8e
SHA512f8c25f8469b7b6c0d73f2aaa6d6df340691097b115804397b35b4787bcc7472f34b9b4b2a2c14a50df4eef88bbb95eb612bf7a787e4a2df1654536da03edabb7
-
Filesize
4KB
MD57c2d093f7b2d834ec68ae000c4d5b6fd
SHA1515040e2c1e0d13e0128a8c3e911350e8b507f06
SHA256ffb92655a7f7b239a6ed6537925621130cfcf2e157175ef6e780fb26c74b0c72
SHA5129ddec118b13470ab26f4e2646663a3de781a75ed52b3303826d7c7e0641314cd7b852683571fd424acf800c29f1fc60ca1a11433b2742dfdd9fbfc9237092b79
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB