Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

fac004943c...6N.exe

windows7-x64

10

fac004943c...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/02/2025, 07:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fac004943c463cf3a62bee95962beea85e0c1b9f5e4ca491873c2d5d6f681b86N.exe

  • Size

    23KB

  • MD5

    19a8710cbb5a9b606617c48c2e528080

  • SHA1

    c2d291b5fa122057a05cb67f76fc93b676615f90

  • SHA256

    fac004943c463cf3a62bee95962beea85e0c1b9f5e4ca491873c2d5d6f681b86

  • SHA512

    c10b64057dc8452605a3f574849b058c775ee28161c1bf902950cfe9d4c7fcb1e67b5d19791b5d4f31a9257b84725f71234a399f5b6214b23745a07b76acfeb8

  • SSDEEP

    384:d/KPBfWhERYoBX16XuIeMHNw6Tg1Y6eeTFmRvR6JZlbw8hqIusZzZN4:u44P1InRpcnuB

Score
10/10
njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fac004943c463cf3a62bee95962beea85e0c1b9f5e4ca491873c2d5d6f681b86N.exe
    "C:\Users\Admin\AppData\Local\Temp\fac004943c463cf3a62bee95962beea85e0c1b9f5e4ca491873c2d5d6f681b86N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\netrefleactor.exe
      "C:\Users\Admin\AppData\Local\Temp\netrefleactor.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\netrefleactor.exe" "netrefleactor.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1500

Network

  • flag-us
    DNS
    128.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    128.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    88.221.135.51:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Wed, 05 Feb 2025 07:56:52 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.3f367a5c.1738742212.157877a
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    51.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    51.135.221.88.in-addr.arpa
    IN PTR
    Response
    51.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-51deploystaticakamaitechnologiescom
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
    Response
  • flag-us
    DNS
    riad-imss.ddns.net
    netrefleactor.exe
    Remote address:
    8.8.8.8:53
    Request
    riad-imss.ddns.net
    IN A
  • 88.221.135.51:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
     6.4kB
     17
    13

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 8.8.8.8:53
    128.159.190.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    128.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    51.135.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    51.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    128 B
     124 B
     2
    1

    DNS Request

    riad-imss.ddns.net

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    64 B
     124 B
     1
    1

    DNS Request

    riad-imss.ddns.net

  • 8.8.8.8:53
    riad-imss.ddns.net
    dns
    netrefleactor.exe
    128 B
     124 B
     2
    1

    DNS Request

    riad-imss.ddns.net

    DNS Request

    riad-imss.ddns.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\netrefleactor.exe
    Filesize

    23KB

    MD5

    19a8710cbb5a9b606617c48c2e528080

    SHA1

    c2d291b5fa122057a05cb67f76fc93b676615f90

    SHA256

    fac004943c463cf3a62bee95962beea85e0c1b9f5e4ca491873c2d5d6f681b86

    SHA512

    c10b64057dc8452605a3f574849b058c775ee28161c1bf902950cfe9d4c7fcb1e67b5d19791b5d4f31a9257b84725f71234a399f5b6214b23745a07b76acfeb8

    Download Submit

  • memory/3436-0-0x00000000749D2000-0x00000000749D3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3436-1-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3436-2-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3436-13-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4840-12-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4840-14-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4840-16-0x00000000749D0000-0x0000000074F81000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.