Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

febb8bb939...49.exe

windows7-x64

10

febb8bb939...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2025, 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49.exe

  • Size

    240KB

  • MD5

    6df5520cdae8ba7dbc37ad82e7a9295f

  • SHA1

    a8814cf76350dc1ecf79bc47fb9ca366695be621

  • SHA256

    febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49

  • SHA512

    749e4dc974b56eeaefd81f585dc26492404c836a804eebd368d2cd226688001fa26fb198e9da4fbf5db34014952c3561e373aef2001a60c0d6bb545e8112a84f

  • SSDEEP

    6144:3+x9BQjb3N0X9I2MeYwxzy8yfEn2/seQA:Oi3c9tMSyncneZ

Score
10/10
njratvictimtrojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

127.0.0.1:4444

Mutex

d099d73cec5e8c22e0945821b611e5d5

Attributes
  • reg_key

    d099d73cec5e8c22e0945821b611e5d5

  • splitter

    Y262SUCZ4UJJ

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49.exe
    "C:\Users\Admin\AppData\Local\Temp\febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2744
  • C:\Users\Admin\AppData\Roaming\winlogon.exe
    C:\Users\Admin\AppData\Roaming\winlogon.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\winlogon.exe
    Filesize

    240KB

    MD5

    6df5520cdae8ba7dbc37ad82e7a9295f

    SHA1

    a8814cf76350dc1ecf79bc47fb9ca366695be621

    SHA256

    febb8bb939db969aebc42c70ed6e96dff895b116fd049b6c4f85f9a90ad1bc49

    SHA512

    749e4dc974b56eeaefd81f585dc26492404c836a804eebd368d2cd226688001fa26fb198e9da4fbf5db34014952c3561e373aef2001a60c0d6bb545e8112a84f

    Download Submit

  • memory/2312-8-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2312-10-0x0000000000C00000-0x0000000000C14000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2312-9-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2312-12-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2312-13-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2744-0-0x00007FF8AE1D3000-0x00007FF8AE1D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2744-1-0x0000000000130000-0x0000000000172000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2744-5-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2744-11-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

    Download