Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

febb8bb939...49.exe

windows7-x64

10

febb8bb939...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2025, 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49.exe

  • Size

    240KB

  • MD5

    6df5520cdae8ba7dbc37ad82e7a9295f

  • SHA1

    a8814cf76350dc1ecf79bc47fb9ca366695be621

  • SHA256

    febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49

  • SHA512

    749e4dc974b56eeaefd81f585dc26492404c836a804eebd368d2cd226688001fa26fb198e9da4fbf5db34014952c3561e373aef2001a60c0d6bb545e8112a84f

  • SSDEEP

    6144:3+x9BQjb3N0X9I2MeYwxzy8yfEn2/seQA:Oi3c9tMSyncneZ

Score
10/10
njratvictimtrojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

127.0.0.1:4444

Mutex

d099d73cec5e8c22e0945821b611e5d5

Attributes
  • reg_key

    d099d73cec5e8c22e0945821b611e5d5

  • splitter

    Y262SUCZ4UJJ

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49.exe
    "C:\Users\Admin\AppData\Local\Temp\febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1736
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D80F98C4-2436-4A3A-BF7B-B9CB84DD9790} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Roaming\winlogon.exe
      C:\Users\Admin\AppData\Roaming\winlogon.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\winlogon.exe
    Filesize

    240KB

    MD5

    6df5520cdae8ba7dbc37ad82e7a9295f

    SHA1

    a8814cf76350dc1ecf79bc47fb9ca366695be621

    SHA256

    febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49

    SHA512

    749e4dc974b56eeaefd81f585dc26492404c836a804eebd368d2cd226688001fa26fb198e9da4fbf5db34014952c3561e373aef2001a60c0d6bb545e8112a84f

    Download Submit

  • memory/1736-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1736-1-0x0000000000090000-0x00000000000D2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1736-4-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2352-8-0x000007FEF5223000-0x000007FEF5224000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2352-9-0x0000000000B50000-0x0000000000B92000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2352-10-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2352-11-0x0000000000160000-0x0000000000174000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2352-12-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

    Filesize

    9.9MB

    Download