Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

nkth.exe

windows10-ltsc 2021-x64

nkth.exe

windows7-x64

nkth.exe

windows10-2004-x64

10

nkth.exe

windows10-ltsc 2021-x64

10

nkth.exe

windows11-21h2-x64

Analysis

  • max time kernel
    825s
  • max time network
    830s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2025, 11:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    nkth.exe

  • Size

    55KB

  • MD5

    33644523cb6a6c01bbf2dd5c3a97aafc

  • SHA1

    7fd0d35a09a32693d30ffdb49ecd69c1229d2a20

  • SHA256

    e451ebc803766d533d92baf458485284fb64cc3e8d4491cf410ea7fb2d5ded45

  • SHA512

    43bddd6e1cd6acf040fec6d2b51afd86daa0f5f8ef7990b7dab2e9a42bdcdec5fede30d0510e6fdfd1cb08a4028e5057061f7c4e91a8b5a300ae1af9505cef2b

  • SSDEEP

    1536:5EOADn6cpNPmSpVcDGiwsNMDdXExI3pmsm:bADn6cPzLcDGiwsNMDdXExI3pm

Score
10/10
njratdiscoverytrojan

Malware Config

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nkth.exe
    "C:\Users\Admin\AppData\Local\Temp\nkth.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start shutdown /s /f /t 0
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\shutdown.exe
        shutdown /s /f /t 0
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2108
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2572
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1768

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2304-2-0x0000000074440000-0x00000000749EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2304-1-0x0000000074440000-0x00000000749EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2304-0-0x0000000074441000-0x0000000074442000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2304-3-0x0000000074440000-0x00000000749EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2304-4-0x0000000074440000-0x00000000749EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2304-5-0x0000000074440000-0x00000000749EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2304-6-0x0000000074440000-0x00000000749EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2304-7-0x0000000074440000-0x00000000749EB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2572-8-0x0000000002B00000-0x0000000002B01000-memory.dmp

        Filesize

        4KB

        Download