Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

9cf9f7182f...c9.exe

windows7-x64

10

9cf9f7182f...c9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    116s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    19/01/2025, 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe

  • Size

    136KB

  • MD5

    79500f7c4b6cf21732b6ef0414c2dfa7

  • SHA1

    512a900a0b8bbddca9071fa91958fc2ed8e1e10c

  • SHA256

    9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9

  • SHA512

    2098e52b357864b22e3f40b6d5e1bb0a830aa874eb0c6b8ad44aa04e318b810885d33806a2a67b915ed142d146fa0f702fe5c1d2eb495c34fb030b69e5481dcc

  • SSDEEP

    1536:OWzOx6baIa9RIj00ljEwzGi1dD3DXgSAhA4OK4VVpuXQQdo3MU:OWLbaIa9ijNSi1dnQD9Rea3I

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5552
Mutex

a673af9338ff8860401a647b33db3833

Attributes
  • reg_key

    a673af9338ff8860401a647b33db3833

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 28 IoCs
    evasion
  • Drops startup file 22 IoCs
  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 38 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe
    "C:\Users\Admin\AppData\Local\Temp\9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:908
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops autorun.inf file
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2212
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2620
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2640
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Users\Admin\AppData\Local\Temp\server.exe
          "C:\Users\Admin\AppData\Local\Temp\server.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:2040
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2688
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1852
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1592
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:988
            • C:\Users\Admin\AppData\Local\Temp\server.exe
              "C:\Users\Admin\AppData\Local\Temp\server.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of WriteProcessMemory
              PID:2548
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:888
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:1980
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                7⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                • System Location Discovery: System Language Discovery
                PID:1596
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:600
                • C:\Users\Admin\AppData\Local\Temp\server.exe
                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                  8⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  PID:1712
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2260
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2840
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                    9⤵
                    • Modifies Windows Firewall
                    • Event Triggered Execution: Netsh Helper DLL
                    • System Location Discovery: System Language Discovery
                    PID:2084
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:2636
                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                      10⤵
                      • Drops startup file
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: GetForegroundWindowSpam
                      PID:1388
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:1112
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2228
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Location Discovery: System Language Discovery
                        PID:2920
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                        11⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        PID:2396
                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                          12⤵
                          • Drops startup file
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: GetForegroundWindowSpam
                          PID:2988
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:2768
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:2180
                          • C:\Windows\SysWOW64\netsh.exe
                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                            13⤵
                            • Modifies Windows Firewall
                            • Event Triggered Execution: Netsh Helper DLL
                            • System Location Discovery: System Language Discovery
                            PID:1240
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                            13⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:596
                            • C:\Users\Admin\AppData\Local\Temp\server.exe
                              "C:\Users\Admin\AppData\Local\Temp\server.exe"
                              14⤵
                              • Drops startup file
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: GetForegroundWindowSpam
                              PID:1872
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:3012
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:2280
                              • C:\Windows\SysWOW64\netsh.exe
                                netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                15⤵
                                • Modifies Windows Firewall
                                • Event Triggered Execution: Netsh Helper DLL
                                • System Location Discovery: System Language Discovery
                                PID:1580
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                15⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • System Location Discovery: System Language Discovery
                                PID:772
                                • C:\Users\Admin\AppData\Local\Temp\server.exe
                                  "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                  16⤵
                                  • Drops startup file
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  PID:2748
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:2408
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:2616
                                  • C:\Windows\SysWOW64\netsh.exe
                                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                    17⤵
                                    • Modifies Windows Firewall
                                    • Event Triggered Execution: Netsh Helper DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:3060
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    PID:2712
                                    • C:\Users\Admin\AppData\Local\Temp\server.exe
                                      "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                      18⤵
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      PID:2648
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:1764
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2764
                                      • C:\Windows\SysWOW64\netsh.exe
                                        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                        19⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2940
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2920
                                        • C:\Users\Admin\AppData\Local\Temp\server.exe
                                          "C:\Users\Admin\AppData\Local\Temp\server.exe"
                                          20⤵
                                          • Drops startup file
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:868
                                          • C:\Windows\SysWOW64\netsh.exe
                                            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
                                            21⤵
                                            • Modifies Windows Firewall
                                            • Event Triggered Execution: Netsh Helper DLL
                                            • System Location Discovery: System Language Discovery
                                            PID:1880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\melt.txt
    Filesize

    44B

    MD5

    298802dff6aa26d4fb941c7ccf5c0849

    SHA1

    11e518ca3409f1863ebc2d3f1be9fb701bad52c0

    SHA256

    df99fdbdf7b92b29b1bf1ca4283b4de2e04643b9739d2d1089ab5808e8e5665d

    SHA512

    0301017dfef1b74855d6535f3fd542257689479cb933c2e8742b5b6b94e26107fa38e7fc21bdb83d45184750eced344856092330fb30a1ebbc24b2b9004c8946

    Download Submit

  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    5B

    MD5

    2099bb64fd1770d321df364f99b658d1

    SHA1

    3124edeaa14c060becfa8b980ed77db15d56a9e3

    SHA256

    d53ce6bdbd0c3cb4596ac3103f15824570a9858da95f63cedf64cec11dc44e2d

    SHA512

    3481f2a02f7b1255ad0f3cd8a716de9c7414753b6f8657f0bf99738ff6623f8717469bc10e737d6c0d1d13846e726d50baeb5e8ef73efcfce7be5c63327c4895

    Download Submit

  • \Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    136KB

    MD5

    79500f7c4b6cf21732b6ef0414c2dfa7

    SHA1

    512a900a0b8bbddca9071fa91958fc2ed8e1e10c

    SHA256

    9cf9f7182fc6d0c17d3ebb75273ad4a861b44fb318c94f71a719723646cc3ec9

    SHA512

    2098e52b357864b22e3f40b6d5e1bb0a830aa874eb0c6b8ad44aa04e318b810885d33806a2a67b915ed142d146fa0f702fe5c1d2eb495c34fb030b69e5481dcc

    Download Submit

  • memory/908-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/908-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/908-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/908-14-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-15-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-16-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-29-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-49-0x00000000748E0000-0x0000000074E8B000-memory.dmp

    Filesize

    5.7MB

    Download