Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2024, 23:46

General

  • Target

    456-Invoice.js

  • Size

    166KB

  • MD5

    c000b245272ad81b74958689e4b3352e

  • SHA1

    ce74042c88b852c6a5b00186096f0ce42afc38b6

  • SHA256

    f19462db16c63e8c26095f8ee024340649e0b2cb26a9ba9d08691b6d01e4f2be

  • SHA512

    f9b3f811a4be2bee356d9265d15a20a00d41b4a5933d8ab5adcf683ce23cab0ac0b6a7cbdbc97abb509385082aa038d11f1b4f8e502f61e6a42535bbd4df155c

  • SSDEEP

    3072:Z6EsOoG2OGyjn37WIMnhHXmhRZkIQQZ9ophBCvD9hsbVhjv5:PsOotKeIMnimk+EIb5

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

SUCCEED

C2

194.5.97.156:7654

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    0149266241@@@

Signatures

  • Njrat family
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Vjw0rm family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\456-Invoice.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      PID:1676
    • C:\Users\Admin\AppData\Local\Temp\New Client.exe
      "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2772
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2760
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {85AFC9E2-2A74-4809-A729-B0C32218CB3A} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
      PID:2016

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\New Client.exe

      Filesize

      78KB

      MD5

      4c1c9fdf28215ae2f0f681349b66bbff

      SHA1

      8ab23d0ee7a361c8f29622fa9ba05f6644e24e9a

      SHA256

      50842fb63d2308152a3d6c25bf5c45b2a71906193e299975401e8cc5189abd7a

      SHA512

      f0415187e7f7dc15546ea4bc8e6c53281aa407df064a2d73e0360e796caf807430d7ab565ba842e8d1c58c1bc35eefffcd868042c65357906a625b92064e96c5

    • C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js

      Filesize

      10KB

      MD5

      4e1188211bc0a1f728e5a97cf47a7105

      SHA1

      740914054d0824fbacf494855eb9121355a49740

      SHA256

      ada3ac15b6fd893f1f8b1a4ad1f6d4cbc86c566c0d5a639c4dda15f4727f2cee

      SHA512

      b37d9c26c44b45e89a4732439480bf6d09e292fb85ef054a4a591cb7228eeef0f8595aeaf12824771c033297ea218996d6e4c9006972c15a58d02b89365b2a14

    • memory/2668-8-0x0000000074421000-0x0000000074422000-memory.dmp

      Filesize

      4KB

    • memory/2668-10-0x0000000074420000-0x00000000749CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-11-0x0000000074420000-0x00000000749CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-12-0x0000000074420000-0x00000000749CB000-memory.dmp

      Filesize

      5.7MB

    • memory/2668-13-0x0000000074420000-0x00000000749CB000-memory.dmp

      Filesize

      5.7MB