Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Payload.exe

windows7-x64

10

Payload.exe

windows10-2004-x64

7

Resubmissions

07/02/2025, 12:37

250207-ptt65aslak 10

07/02/2025, 12:34

250207-prwl6sskak 10

07/02/2025, 12:31

250207-pqgfvssjcp 10

Analysis

  • max time kernel
    300s
  • max time network
    300s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/02/2025, 12:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payload.exe

  • Size

    83KB

  • MD5

    534f369ccf6412aedd991e525a1e72ff

  • SHA1

    7ac06b4a71634ea87c47aa4d95debaea98728d59

  • SHA256

    bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f

  • SHA512

    fab8374a454d0cfe7b48439fb84337216056124889d8f882007fec18555cf97c96bbcbedaf59c3b56f25198c5dc00c7d0427f8fe72875c57538c54fdec7eb281

  • SSDEEP

    1536:7eB1Gt0g5eEkG9WQcGDWX3xIEpmugSgytVlVqKu0UxYy0hAc:o1GtR1kG9WQnDWX3xIEpmsLRVqKnUxXB

Score
10/10
njratvictimcredential_accessdefense_evasiondiscoveryexecutionpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

staff-tunisia.gl.at.ply.gg:47744

Mutex

3deffefe0e2775360ccb15d96c6aeb42

Attributes
  • reg_key

    3deffefe0e2775360ccb15d96c6aeb42

  • splitter

    Y262SUCZ4UJJ

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payload.exe
    "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      "C:\Users\Admin\AppData\Roaming\dllhost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2832
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3004
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2824
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc query windefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2980
        • C:\Windows\SysWOW64\sc.exe
          sc query windefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc stop windefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\sc.exe
          sc stop windefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c sc delete windefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\SysWOW64\sc.exe
          sc delete windefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2984
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn CleanSweepCheck /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2680
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2740
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\4150393"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Users\Admin\AppData\Local\Temp\90e15af7c7e24ee9be1650ecbb18d806.exe
        "C:\Users\Admin\AppData\Local\Temp\90e15af7c7e24ee9be1650ecbb18d806.exe"
        3⤵
        • Executes dropped EXE
        PID:112
      • C:\Users\Admin\AppData\Local\Temp\96db38792a704dfe8b8e02bb1664524a.exe
        "C:\Users\Admin\AppData\Local\Temp\96db38792a704dfe8b8e02bb1664524a.exe"
        3⤵
        • Executes dropped EXE
        PID:1904
      • C:\Users\Admin\AppData\Local\Temp\830dd93bd94040418122c064190eded4.exe
        "C:\Users\Admin\AppData\Local\Temp\830dd93bd94040418122c064190eded4.exe"
        3⤵
        • Executes dropped EXE
        PID:1656
      • C:\Users\Admin\AppData\Local\Temp\8b06a1eb28d946dcb0a8a81524a23d73.exe
        "C:\Users\Admin\AppData\Local\Temp\8b06a1eb28d946dcb0a8a81524a23d73.exe"
        3⤵
        • Executes dropped EXE
        PID:3060
      • C:\Users\Admin\AppData\Local\Temp\7d1d23a0120b41f2b9666169d63265f0.exe
        "C:\Users\Admin\AppData\Local\Temp\7d1d23a0120b41f2b9666169d63265f0.exe"
        3⤵
        • Executes dropped EXE
        PID:1440
      • C:\Users\Admin\AppData\Local\Temp\9f1f824778034fcdb1f66e56b69d4839.exe
        "C:\Users\Admin\AppData\Local\Temp\9f1f824778034fcdb1f66e56b69d4839.exe"
        3⤵
        • Executes dropped EXE
        PID:1732
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1D6C92C7-72F9-4F58-8FE0-9DF969FC7467} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      C:\Users\Admin\AppData\Roaming\dllhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2216
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      C:\Users\Admin\AppData\Roaming\dllhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:668
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      C:\Users\Admin\AppData\Roaming\dllhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2384
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      C:\Users\Admin\AppData\Roaming\dllhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2276
    • C:\Users\Admin\AppData\Roaming\dllhost.exe
      C:\Users\Admin\AppData\Roaming\dllhost.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1504
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1d4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2244
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4150393
    Filesize

    399B

    MD5

    e4bf4f7accc657622fe419c0d62419ab

    SHA1

    c2856936dd3de05bad0da5ca94d6b521e40ab5a2

    SHA256

    b32fa68b79c5a7ceaa89e8e537efe33a963c499666202611329944bd2c09318e

    SHA512

    85dc223e39a16ddeba53a4b3d6c9eff14d30ec67dfda1e650da2c9057f640edd033a31868915a31caac0d325d240a7f634f62cd52fbd2adc68bd1d9cb6281431

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\90e15af7c7e24ee9be1650ecbb18d806.exe
    Filesize

    844KB

    MD5

    8cac1595b184f66d7a122af38d5dfe71

    SHA1

    e0bc0162472edf77a05134e77b540663ac050ab6

    SHA256

    00201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f

    SHA512

    88d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\96db38792a704dfe8b8e02bb1664524a.exe
    Filesize

    997KB

    MD5

    28aaac578be4ce06cb695e4f927b4302

    SHA1

    880ab0560b81e05e920f9ec1d6c0ecf5e04eaa7e

    SHA256

    8929d3b749ff91527b8e407eff6bde4bb0bb27739313b5c0db0434cbf700dbfc

    SHA512

    068698bda0543c773b36830f6760456e40e9046d9d20089ad88cb646ef5c7bd6c6716c6d59cfc7abd5bffb9129f5a7076e2f9c9b321795f224923f00b7b91374

    Download Submit

  • \Users\Admin\AppData\Roaming\dllhost.exe
    Filesize

    83KB

    MD5

    534f369ccf6412aedd991e525a1e72ff

    SHA1

    7ac06b4a71634ea87c47aa4d95debaea98728d59

    SHA256

    bd3ef02621b16846e829e9d7274553abfdeb189153a881c15b70f6e3b2f4ee8f

    SHA512

    fab8374a454d0cfe7b48439fb84337216056124889d8f882007fec18555cf97c96bbcbedaf59c3b56f25198c5dc00c7d0427f8fe72875c57538c54fdec7eb281

    Download Submit

  • memory/1624-0-0x0000000074A61000-0x0000000074A62000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1624-1-0x0000000074A60000-0x000000007500B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-2-0x0000000074A60000-0x000000007500B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-10-0x0000000074A60000-0x000000007500B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2428-21-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2428-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2428-27-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2428-23-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2428-19-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2428-28-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2428-29-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2428-35-0x0000000000400000-0x0000000000472000-memory.dmp

    Filesize

    456KB

    Download

  • memory/3016-16-0x0000000074A60000-0x000000007500B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-12-0x0000000074A60000-0x000000007500B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3016-11-0x0000000074A60000-0x000000007500B000-memory.dmp

    Filesize

    5.7MB

    Download