Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Setup_Upda...te.exe

windows7-x64

10

Setup_Upda...te.exe

windows10-2004-x64

8

Setup_Upda...rv.dll

windows10-2004-x64

7

Setup_Upda...nk.dll

windows10-2004-x64

7

Setup_Update/hmkd.dll

windows10-2004-x64

1

Setup_Upda...fg.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Setup_Update.zip

  • Size

    346KB

  • Sample

    250123-zq16dasqbz

  • MD5

    eb751de314ba1859e4fa6ace8ac7bc51

  • SHA1

    c47e21d1db58017a96811bf73d96933f0bafb0ce

  • SHA256

    ea98c9bf854db4937cdd2f7430d21d72169cb3a5f676ffc41e71659b250438d2

  • SHA512

    c8b7547b90498d20790ab941642b8e128e75ea9585c7dd749805e597cd214720d23e5d4761b8fbea058bc28a5343c2dc123e9a251da2ea72cc7584f6648713ca

  • SSDEEP

    6144:jnVs5WDMq+8Z+hn5dXsPx9+HCwIsKDQeWVIbZhholaE4bX:7yMDMq+8Zonv8Z98QpeGZXola1bX

Score
10/10
njrathackdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HACK

C2

35.159.113.6:1337

Mutex

d8dd25933bbb5fc191f7e51a861b997a

Attributes
  • reg_key

    d8dd25933bbb5fc191f7e51a861b997a

  • splitter

    |'|'|

Targets

    • Target

      Setup_Update/SetupUpdate.exe

    • Size

      37KB

    • MD5

      4389854ab6bd814b908dbe1c68e23845

    • SHA1

      a4f2e5c7b686105c6d9100b71fbd6b028cf530d9

    • SHA256

      a49aca0e07fbf1c5f485c12ba3b49c50a843a739c891e2c91d150764599ab6c3

    • SHA512

      aa4403e28a0001d9c259f8ce4b3e4f2ed9649fc58fd8a2f1ec12141a819b9751b5c012f06b5caad8f6656ae06224b1b134e31932f8e3ce2c4c0fd387028384e1

    • SSDEEP

      384:P/2m3hUidkiXR21cGMy8PuuRXBiFlK6IurAF+rMRTyN/0L+EcoinblneHQM3epz9:n2m3VLGv8PuuR066XrM+rMRa8Nuvdt

    Score
    10/10
    njrathackdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      Setup_Update/hidserv.dll

    • Size

      56KB

    • MD5

      1969d81e14152856fd487a773740700d

    • SHA1

      fe8c2191fdedef664807a8dc42fd675985e262a4

    • SHA256

      5794a44a7c0236090f9a3eaabd4d3981b7bb36aeb65efcec8e096ffafe49d3a0

    • SHA512

      e67b65b0be445241d89629ae17f053ddbc4414429e2fc1c1f533781102928895583dbdccd3a201f146bb9268e86905745bcbc5fd80e50dc7028b8c8fbae3003b

    • SSDEEP

      768:D1wpKL4nq5QJXMvhaqJuzX8I8S2cpODc6cBS+4+9rK:hAnAQXscZvpOwPwIu

    Score
    7/10
    discoverypersistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Modifies system executable filetype association

      persistence
    behavioral3

    • Target

      Setup_Update/hlink.dll

    • Size

      160KB

    • MD5

      8342acb306d837da7627f58159ebd910

    • SHA1

      90d84bb0b369d13c38d30e40b6a7c83481e330da

    • SHA256

      4aa272633cf76867a6029fb54c8de50441b8df3b5e11cb956edacdc0cbb19e78

    • SHA512

      e38e174b508c43531e497d8c48dcbc7121cc4744c2680b5f17164f4340032f9336cd1ddc3049a5b33bf93663ebc9d71262b84cd73a298514bf6fd4871879a406

    • SSDEEP

      3072:SkvtlaOK/CxHHUpvA8Yk/j+eI6CbiMLPdJSKsQkfzB+PlhjPvp41h9dL0s2Ko2IG:SkllaOK/CtHU5A8Yk/j+eI6CbiMLPdJq

    Score
    7/10
    persistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral4

    • Target

      Setup_Update/hmkd.dll

    • Size

      80KB

    • MD5

      258daa23beb5c5a06f87a3ab88462102

    • SHA1

      b974e56114aeecc3abd0c6a97449e6ddcb186545

    • SHA256

      74e20a558bc612f9aafa3d2a38b15015429816fbb461cafa1bc79d954448153a

    • SHA512

      ffc0f3b8836609cedeca27311750395cd75b1b18d9b0a31c6f28573f2a4e33718814e0f2e4b34be06042526220cc2bde25130025f62591b175dd733258c1e909

    • SSDEEP

      1536:p5Ch7DaNQg1ut82AA8Sr3S+vDpj/8SY9O4:p5ChHaWuSrC+Fj/8Sj4

    Score
    1/10
    behavioral5

    • Target

      Setup_Update/hnetcfg.dll

    • Size

      497KB

    • MD5

      3d3632994a7f06aa528e203b98982f0d

    • SHA1

      4602f4a7793ae16cb96e69d73a11639524cf5262

    • SHA256

      b71ae6f590a0db09fdcf16671c78da41cfa2a3f52f5893a0a9345e618b69942e

    • SHA512

      f67e758491a0634b6c195ca6d00996ff1ae886706d178e6ddc1b8bf7d01200c3b3e2353a0274f781b37717583c6d3cfa642be732fc9bf289cab4acccb98fbff7

    • SSDEEP

      12288:KBRqMSP8ZQHlazwS77KxebbeHXDjXrOrcebhBo5zQc6GiNql+2kOkyFLCHzw9cFN:MRqMSTHUzwYKEbbeHvrOrcebhBo5zQcQ

    Score
    1/10
    behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

3
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

3
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks