Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    239s
  • max time network
    245s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/02/2025, 13:26

General

  • Target

    рат 3 стадия.exe

  • Size

    11.3MB

  • MD5

    27d9f65b4d7ea7f8dc76517c634be635

  • SHA1

    4baa5a473b5780ba33e749e43ef7363464bf6968

  • SHA256

    4012e6a5c71823bebc6e0992ff1415cf04ef4a5ddb93233dd6b867fc1a907c6f

  • SHA512

    b90fd210c34da79d1d7d526b1e8178c1e7fb0e5a1550eacec3492bf5843073edaa0369f7a0c81ab0996c88a20c742e385bace606b404caa5c513cbf1af68f9cc

  • SSDEEP

    196608:Zqwdlup6/j7AGXyaP+RtZoPlbxfxKLZtz4uIZoGSV1gJCUepeNxJvLW7snujIvgB:xup6lXeY5ol4uIZoG0dUQeN71ucvgB99

Malware Config

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Stops running service(s) 4 TTPs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 17 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\рат 3 стадия.exe
    "C:\Users\Admin\AppData\Local\Temp\рат 3 стадия.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe
      "C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe
        "C:\Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:3008
    • C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe
      "C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Users\Admin\AppData\Roaming\Payload.sfx.exe
        "C:\Users\Admin\AppData\Roaming\Payload.sfx.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Users\Admin\AppData\Roaming\Payload.exe
          "C:\Users\Admin\AppData\Roaming\Payload.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe
            "C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h "C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Views/modifies file attributes
              PID:704
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2636
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell Set-MpPreference -DisableRealtimeMonitoring $true
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2276
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c sc query windefend
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:288
              • C:\Windows\SysWOW64\sc.exe
                sc query windefend
                7⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:2376
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c sc stop windefend
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:688
              • C:\Windows\SysWOW64\sc.exe
                sc stop windefend
                7⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1744
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c sc delete windefend
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1760
              • C:\Windows\SysWOW64\sc.exe
                sc delete windefend
                7⤵
                • Launches sc.exe
                • System Location Discovery: System Language Discovery
                PID:1712
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /delete /tn CleanSweepCheck /f
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1656
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1328
            • C:\Users\Admin\AppData\Local\Temp\5b8f934b5e454649be5c76f6e9222c0c.exe
              "C:\Users\Admin\AppData\Local\Temp\5b8f934b5e454649be5c76f6e9222c0c.exe"
              6⤵
              • Executes dropped EXE
              PID:3032
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /delete /tn CleanSweepCheck /f
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2736
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\ASIO Plugin.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:2456
              • C:\Windows\SysWOW64\PING.EXE
                ping 0 -n 2
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2292
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2264
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
      PID:556
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
        PID:1928
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb9c9758,0x7fefb9c9768,0x7fefb9c9778
          2⤵
            PID:1044
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          1⤵
            PID:2688
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7c69758,0x7fef7c69768,0x7fef7c69778
              2⤵
                PID:2396

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-file-l1-2-0.dll

              Filesize

              21KB

              MD5

              cc228ff8d86b608e73026b1e9960b2f8

              SHA1

              cef0705aee1e8702589524879a49e859505d6fe0

              SHA256

              4cadbc0c39da7c6722206fdcebd670abe5b8d261e7b041dd94f9397a89d1990d

              SHA512

              17abd9e0ec20b7eb686e3c0f41b043d0742ab7f9501a423b2d2922d44af660379792d1cc6221effbd7e856575d5babf72657ae9127c87cc5cf678bd2ceb1228f

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-file-l2-1-0.dll

              Filesize

              21KB

              MD5

              e368a236f5676a3da44e76870cd691c9

              SHA1

              e4f1d2c6f714a47f0dc29021855c632ef98b0a74

              SHA256

              93c624b366ba16c643fc8933070a26f03b073ad0cf7f80173266d67536c61989

              SHA512

              f5126498a8b65ab20afaaf6b0f179ab5286810384d44638c35f3779f37e288a51c28bed3c3f8125d51feb2a0909329f3b21273cb33b3c30728b87318480a9ef8

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-kernel32-legacy-l1-1-1.dll

              Filesize

              21KB

              MD5

              0c1cc0a54d4b38885e1b250b40a34a84

              SHA1

              24400f712bbe1dd260ed407d1eb24c35dcb2ecac

              SHA256

              a9b13a1cd1b8c19b0c6b4afcd5bb0dd29c0e2288231ac9e6db8510094ce68ba6

              SHA512

              71674e7ed8650cac26b6f11a05bfc12bd7332588d21cf81d827c1d22df5730a13c1e6b3ba797573bb05b3138f8d46091402e63c059650c7e33208d50973dde39

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-localization-l1-2-0.dll

              Filesize

              21KB

              MD5

              5241df2e95e31e73ccfd6357ad309df0

              SHA1

              2644cc5e86dfad1ad2140181ab2ca79725f95411

              SHA256

              6ee44dd0d8510dc024c9f7c79b1b9fa88c987b26b6beb6653ddd11751c34e5dc

              SHA512

              52cccd1dd237e764e34996c0c5f7a759a7f0eff29b61befeaf96a16d80df2ba9ee2c3615f875153198a145d68f275aea6d02187e6eee5a129e3e2ab81aaceb16

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-processthreads-l1-1-1.dll

              Filesize

              21KB

              MD5

              385f562bdc391ccd4f81aca3719f3236

              SHA1

              f6633e1dac227ba3cd14d004748ef0c1c4135e67

              SHA256

              4ad565a8ba3ef0ea8ab87221ad11f83ee0bc844ce236607958406663b407333e

              SHA512

              b72ed1a02d4a02791ca5490b35f7e2cb6cb988e4899eda78134a34fb28964ea573d3289b69d5db1aac2289d1f24fd0a432b8187f7ae8147656d38691ae923f27

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-sysinfo-l1-2-0.dll

              Filesize

              21KB

              MD5

              fc9fc5f308ffc2d2d71814df8e2ae107

              SHA1

              24d7477f2a7dc2610eb701ed683108cd57eca966

              SHA256

              2703635d835396afd0f138d7c73751afe7e33a24f4225d08c1690b0a371932c0

              SHA512

              490fa6dc846e11c94cfe2f80a781c1bd1943cddd861d8907de8f05d9dc7a6364a777c6988c58059e435ac7e5d523218a597b2e9c69c9c34c50d82cac4400fe01

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-timezone-l1-1-0.dll

              Filesize

              21KB

              MD5

              43d8d2fb8801c5bd90d9482ddf3ea356

              SHA1

              d582b55cd58531e726141c63ba9910ff185d72e0

              SHA256

              33f4fddc181066fce06b2227bded813f95e94ed1f3d785e982c6b6b56c510c57

              SHA512

              0e073381a340db3f95165dbcceb8dfbf1ed1b4343e860446032400a7b321b7922c42ee5d9a881e28e69a3f55d56d63663adb9bb5abb69c5306efbf116cc5e456

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\python313.dll

              Filesize

              5.8MB

              MD5

              3aad23292404a7038eb07ce5a6348256

              SHA1

              35cac5479699b28549ebe36c1d064bfb703f0857

              SHA256

              78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

              SHA512

              f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

            • C:\Users\Admin\AppData\Local\Temp\_MEI25282\ucrtbase.dll

              Filesize

              1.3MB

              MD5

              286b308df8012a5dfc4276fb16dd9ccc

              SHA1

              8ae9df813b281c2bd7a81de1e4e9cef8934a9120

              SHA256

              2e5fb14b7bf8540278f3614a12f0226e56a7cc9e64b81cbd976c6fcf2f71cbfb

              SHA512

              24166cc1477cde129a9ab5b71075a6d935eb6eebcae9b39c0a106c5394ded31af3d93f6dea147120243f7790d0a0c625a690fd76177dddab2d2685105c3eb7b2

            • C:\Users\Admin\AppData\Roaming\Payload.exe

              Filesize

              54KB

              MD5

              68e6ef21250dd5d0bce5dfbd201da418

              SHA1

              8f5ac5472ef190644b551982c221aecfdeb13e24

              SHA256

              914ba72a2c19e2c962e6a210810a8d991c16603e84d29b8fe3e1efc41586715b

              SHA512

              08b6a7ea071a7f8354b3d255ab16d8748915ec5d350dea6a9ea414aa00445720984c8c4a293ddab623cbd193b0b0ec89494182f9c07032d849ef0ec2f8a2196f

            • C:\Users\Admin\AppData\Roaming\RTP_Launcher.exe

              Filesize

              668KB

              MD5

              f201d301882f32db22068608558a4bab

              SHA1

              93e1399172ce45361e4fa053fb6547261f465c34

              SHA256

              9812c226b300a5ee0e516214bca4e972af80249844d7212d34a532674a6d2039

              SHA512

              db79f67fafc9a5fd7c68a9767b4964aa214168a347bd8692976ac4e6b85a18a17133827dd3f10438a1760121c9c3dc430343c416ee9a8a6c36d381ed0fa3fef0

            • \Users\Admin\AppData\Local\Temp\5b8f934b5e454649be5c76f6e9222c0c.exe

              Filesize

              22.6MB

              MD5

              d3b70fa0711ad4e8e8a43e8a4ba6cdfb

              SHA1

              64b2e064abcee7b04caccd315a2d2994ba4df125

              SHA256

              da298b13fc28e0a326de0138130584201e0b6dd4859e74615781e48c099010a8

              SHA512

              4a564a51fe2d44645df6651804581c429b560f111190a585ce6508572ecba72b21ecf47e5763ec65500453cd2498519e9c55ec96a94b8c560b81520398346aff

            • \Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-fibers-l1-1-1.dll

              Filesize

              21KB

              MD5

              050a30a687e7a2fa6f086a0db89aa131

              SHA1

              1484322caaf0d71cbb873a2b87bdd8d456da1a3b

              SHA256

              fc9d86cec621383eab636ebc87ddd3f5c19a3cb2a33d97be112c051d0b275429

              SHA512

              07a15aa3b0830f857b9b9ffeb57b6593ae40847a146c5041d38be9ce3410f58caa091a7d5671cc1bc7285b51d4547e3004cf0e634ae51fe3da0051e54d8759e1

            • \Users\Admin\AppData\Roaming\Payload.sfx.exe

              Filesize

              460KB

              MD5

              fc66d6dda75572e180f725e173594e7e

              SHA1

              0bd79afc46ad1c911749ddf1222f3d3335281323

              SHA256

              096ab73539ab3a204fc9d867a06ef3e076e880dd51c612d9eeee3b15bc81111f

              SHA512

              3d4d1100f4ccde9debe08775623c5f70c561e03751fd66389c96c61cdbe7b153a5addd53a04a4b602a0999de4ae74b2127b4be17e4b28ceb54534977e9a28d2a

            • \Users\Admin\AppData\Roaming\SCAN_MINECRAFT_F.exe

              Filesize

              10.8MB

              MD5

              0ebcd0bb555e8ab1672a1ffb2793151f

              SHA1

              bc1b85846c5d67b6b3fe1d8b7a4d94238378a673

              SHA256

              5f7507a45a6380116220fa730f521df31b7497591ca2d1167ca0f507c8c4d634

              SHA512

              8bd4b0c68966c2127c4f25045faeddb44ba6558c67af5ba459529110ee7ed427f148bac27f04d4d4567d533ed0ecd315b208fb1845451d11ced3d1e6804958ea

            • memory/2264-2024-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

            • memory/2264-2025-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB

            • memory/2264-2028-0x0000000140000000-0x00000001405E8000-memory.dmp

              Filesize

              5.9MB