Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

34f7f28ba0...a2.exe

windows7-x64

10

34f7f28ba0...a2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 19:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34f7f28ba032182b6791f6715af122c721f8faf65abeebc4916b75d92b4525a2.exe

  • Size

    523KB

  • MD5

    8303fbef6e3918300a97bdce8f902dac

  • SHA1

    a7aab55f0753fd4ab2961c21abd3eddf27acc8f2

  • SHA256

    34f7f28ba032182b6791f6715af122c721f8faf65abeebc4916b75d92b4525a2

  • SHA512

    f3e4dcf49b712e067af05eb34fe7d5c56c1b879da32e98cdae8f02a1cd60d3b2415c9723051129995e65dbd54a683a11f3079e47b1bd50a9e32941da426cea39

  • SSDEEP

    12288:dToPWBv/cpGrU3y/S9U7DzInZEiQIG/V/1WkRZ4p3nq6:dTbBv5rUQDzIntQIIF47

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

172.29.192.1:7733

Mutex

af8521d58cef2cc5d6031d0e5bd8a950

Attributes
  • reg_key

    af8521d58cef2cc5d6031d0e5bd8a950

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34f7f28ba032182b6791f6715af122c721f8faf65abeebc4916b75d92b4525a2.exe
    "C:\Users\Admin\AppData\Local\Temp\34f7f28ba032182b6791f6715af122c721f8faf65abeebc4916b75d92b4525a2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\ip.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ServerGREENNER-2.sfx.exe
        ServerGREENNER-2.sfx.exe -p111
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\ServerGREENNER-2.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ServerGREENNER-2.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Users\Admin\AppData\Roaming\Opera Crash Reporter.exe
            "C:\Users\Admin\AppData\Roaming\Opera Crash Reporter.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Opera Crash Reporter.exe" "Opera Crash Reporter.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:2600

Network

    No results found
  • 172.29.192.1:7733
    Opera Crash Reporter.exe
    152 B
     3
  • 172.29.192.1:7733
    Opera Crash Reporter.exe
    152 B
     3
  • 172.29.192.1:7733
    Opera Crash Reporter.exe
    152 B
     3
  • 172.29.192.1:7733
    Opera Crash Reporter.exe
    152 B
     3
  • 172.29.192.1:7733
    Opera Crash Reporter.exe
    152 B
     3
  • 172.29.192.1:7733
    Opera Crash Reporter.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ip.bat
    Filesize

    30B

    MD5

    a7ec260030472a979dbb07422145fdd2

    SHA1

    ceb879e31942ba97bda3664debef48c97c1e92e1

    SHA256

    e548908fc514d728c288c437be5634e316f99db269445ee65960a12064ab21b8

    SHA512

    2f954b6eef741514a0a71cc77750cb547e7a77e12211f056ed9166b77d8185189cda45cd54ed26decebfeebbb2c4a08d35c0a52e45b8a3958834b973b92ac57a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\ServerGREENNER-2.sfx.exe
    Filesize

    363KB

    MD5

    7f16adf83b19a808ff3748060a71a823

    SHA1

    014a21803c0603aa7ff5c3ab8ad166867584bd9a

    SHA256

    b2dd4dbffe743a3520e5084b699f07c2b5bfb71d30c9c75e3e16bac65d20f708

    SHA512

    5aaf027b3bd3282771807047d30464e60fa3a1103658d3e6782b9225658563b2aa83ed4b26da27d18ed93499856ec6feb583c878c682dd6c41d37a3f7415ad0b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX1\ServerGREENNER-2.exe
    Filesize

    91KB

    MD5

    e559e1d5860f3558388db382a059f523

    SHA1

    6bd93e947a56fcf83c9858c21af8898e29b801ba

    SHA256

    e5404b532a4aa2e35a3481025b75972031dfda9194d22fcd932bfdff45cd4936

    SHA512

    c11795656fe0a9cfe161cf2fdd38688d00805fd50f98eae559408e74eeeba15af8de92330bd850615fd753db24fcbdb0fdf45a4ecd8bfccfca46b7a3125b7f3d

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.