Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

1f8f390678...e1.exe

windows7-x64

10

1f8f390678...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/01/2025, 02:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe

  • Size

    120KB

  • MD5

    03a957673a394475e15c113f43e0e99e

  • SHA1

    9da8fb150808ffb7583b509237c59c70ee37f81c

  • SHA256

    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1

  • SHA512

    e6926305fdd18b3e10b768ce749436c4f1c23a9a3aaea02cc33eb058fae1528bc6c57051d658a46996f8d6652abccba0611168be095aa8cd53560992dbd13b94

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVgS:P5eznsjsguGDFqGZ2rDL3

Score
10/10
njratneufdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    "C:\Users\Admin\AppData\Local\Temp\1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2972

Network

  • flag-us
    DNS
    crl.microsoft.com
    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    23.33.27.99
    a1363.dscg.akamai.net
    IN A
    23.33.27.88
  • flag-fr
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    Remote address:
    23.33.27.99:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
    Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
    ETag: 0x8DD1A40E476D877
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: eebc2a06-301e-0031-3c35-4cb6f9000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sun, 05 Jan 2025 02:11:12 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    2.22.57.219
  • flag-fr
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    Remote address:
    2.22.57.219:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: PjrtHAukbJio72s77Ag5mA==
    Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
    ETag: 0x8DCFA0366D6C4CA
    x-ms-request-id: f61eb153-f01e-003e-14ee-2bc095000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sun, 05 Jan 2025 02:11:12 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV1f1d0476.0
    ms-cv-esi: CASMicrosoftCV1f1d0476.0
    X-RTag: RT
  • flag-us
    DNS
    doddyfire.linkpc.net
    chargeable.exe
    Remote address:
    8.8.8.8:53
    Request
    doddyfire.linkpc.net
    IN A
    Response
    doddyfire.linkpc.net
    IN A
    196.119.98.31
  • 23.33.27.99:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    497 B
     1.6kB
     6
    3

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 2.22.57.219:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    439 B
     1.7kB
     5
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 196.119.98.31:10000
    doddyfire.linkpc.net
    chargeable.exe
    1.2kB
     2.9kB
     19
    20
  • 8.8.8.8:53
    crl.microsoft.com
    dns
    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    63 B
     162 B
     1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    23.33.27.99
    23.33.27.88

  • 8.8.8.8:53
    www.microsoft.com
    dns
    1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1.exe
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    2.22.57.219

  • 8.8.8.8:53
    doddyfire.linkpc.net
    dns
    chargeable.exe
    66 B
     82 B
     1
    1

    DNS Request

    doddyfire.linkpc.net

    DNS Response

    196.119.98.31

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE
    Filesize

    1KB

    MD5

    fa84e4bcc92aa5db735ab50711040cde

    SHA1

    084f1cb4c47fdd3be1c833f58359ec8e16f61eb4

    SHA256

    6d7205e794fde4219a62d9692ecddf612663a5cf20399e79be87b851fca4ca33

    SHA512

    261a327ed1dffd4166e215d17bfd867df5b77017ba72c879fb2675cfb8eef48b374f6de41da0e51ba7adb9c0165bb2c831840603e873f6429963afd0cb93007f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956
    Filesize

    1KB

    MD5

    3e3aed1c0ba46c98a8ef6b3bec083998

    SHA1

    8df2ba67925f2c9580ead34fc567acd35c55b416

    SHA256

    3fab079f84b987b1a1e305228bd9d2c7dc9a4033b62d3715073c009391fc949f

    SHA512

    f0afb50c3ca2843e0dde736e5ce6d327ad2b70ae3e04c46c658878208dbd242059efc414f8eff22e9e6034a4a4948b34bdd612c5156c3d9a7fcbd38238066b29

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
    Filesize

    264B

    MD5

    a1171c7ec0417f779dd61ff9cff482db

    SHA1

    0683fd88bf9721013464652f9101c0b46a31fca4

    SHA256

    7a0cc49b018f2280defe2f97bd9e886ba4eaac54f36390146683b35c4c22acf0

    SHA512

    780f9463ee4b08420902683f3bc31823acc064170d14f54c9ece76aa1fb53b858d090239e3ed1daa9eb1bfeb327d8a321f68b69b10c0c6cb79a20a26b6b9808e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    701f7994389289d2a58696d356896560

    SHA1

    2d14826c13ba76896326e83b032f21c679af06e1

    SHA256

    051c313bfd36e6724d9e148f55c2324cbb7d13e3890a02ae3f0c5ec3700a3d7f

    SHA512

    8a63673485c6d3608e08b193c3b1ad291c174fcc79cfa0a4e4bbc154edd67adc08a401b32444b591ac0fa5b1d0294daae0b4d122ceeba375001c5bed16bad587

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5291ef739f9bd6a31cc29744c19c96c9

    SHA1

    2ed5fee458c383ecf4bae3f849911efe11bf1811

    SHA256

    82935206bace93eae04e1afe20a8870e140192ca269c6efb90dce99830c03778

    SHA512

    e8605a9349bec293a62df2610205489a5293b29aa258d2f98dcdfd4f55df7e9e9e946c386d18af74188321d22d9919ed789c1edc897042e7b7c7acf0e5c209e9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    431fcbf21c2ea2f21befcb8ce3e2149b

    SHA1

    ea300988f5e0f4079708db4444a0a926ed4ba702

    SHA256

    364388849723a9e65bd03484ffdbf0fcd58c819dda3c5beeee2d66b050ede0d7

    SHA512

    2bbbf884d85cbca47f9a4f55abfade0c4841400c72b2a87a0848a9a2ba83f9e2c0c2a650d5d6e282a27a7dbe32a32bdaa2b83ec57ed35da8ac2d6179b05715cb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
    Filesize

    252B

    MD5

    1eae0c75aca1dc8efb81a77287682679

    SHA1

    e57c92475a26ccac097da8df4521d620b57ac480

    SHA256

    3c987119ff17216fdb6452bbd70ae16f0fdacdce28ba8ca97931345edb63eb3e

    SHA512

    f565c2741128ffe3a080629aa33f503613756e23e6f423e8e8cb80bba8fb83886168629c5094c34b0670a192487501e8e26c786ee3b712596fa0370723a6c5ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabF24D.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarF250.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe
    Filesize

    120KB

    MD5

    2b4f14413e1a0832c923f0a746b5d152

    SHA1

    c4b91a9a104399774f88834b9ba82b26f5d4073c

    SHA256

    b26207aee85bab3941bac8bb86cc5acd168ddb742737161a9b21b2734ed509c7

    SHA512

    174e65bcfb409aa753cdf30d419c4b724458b6f76f01768cee4b0bbb54be6e3a9f79f06b9c2dd84b85286a8b9950b0cd8b94be3e071e4a04ff03d4765e12dbfe

    Download Submit

  • memory/2540-351-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2540-354-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2540-353-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2736-183-0x0000000074790000-0x0000000074D3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2736-0-0x0000000074791000-0x0000000074792000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-1-0x0000000074790000-0x0000000074D3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2736-173-0x0000000074790000-0x0000000074D3B000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.