Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2025, 20:15

General

  • Target

    Everythingnew.exe

  • Size

    43KB

  • MD5

    e6c670a90c4eb92933de49b9b28d19bc

  • SHA1

    e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0

  • SHA256

    f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009

  • SHA512

    552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398

  • SSDEEP

    384:oZy3Oxrt+3qpyeEDLAL3EkPVIVUusVzQIij+ZsNO3PlpJKkkjh/TzF7pWnM7greT:eTwage0LGfNXuXQ/ot7+L

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

stealer

C2

environmental-seeds.gl.at.ply.gg:35534

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe
    "C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Roaming\winsystem.exe
      "C:\Users\Admin\AppData\Roaming\winsystem.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NUNFMzA3MEYtMEIyQi00QjEzLTkwOEUtNDhDMEIxQjdGRTZCfSIgdXNlcmlkPSJ7RkIxNjY3MkMtRjg3MS00NTg4LTgzQzgtOEYzODJEMzk0RjdCfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTJGOUNFQUQtMzEyMy00MDMwLTg4NTItMjNBOUEyRTJBNkY5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTIzODQwNDM4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\winsystem.exe

    Filesize

    43KB

    MD5

    e6c670a90c4eb92933de49b9b28d19bc

    SHA1

    e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0

    SHA256

    f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009

    SHA512

    552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398

  • memory/1612-3-0x0000000006020000-0x00000000065C4000-memory.dmp

    Filesize

    5.6MB

  • memory/1612-2-0x0000000005710000-0x00000000057AC000-memory.dmp

    Filesize

    624KB

  • memory/1612-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

    Filesize

    4KB

  • memory/1612-5-0x0000000005B50000-0x0000000005BE2000-memory.dmp

    Filesize

    584KB

  • memory/1612-4-0x0000000073EB0000-0x0000000074660000-memory.dmp

    Filesize

    7.7MB

  • memory/1612-1-0x0000000000D80000-0x0000000000D92000-memory.dmp

    Filesize

    72KB

  • memory/1612-16-0x0000000073EB0000-0x0000000074660000-memory.dmp

    Filesize

    7.7MB

  • memory/2248-15-0x0000000073EB0000-0x0000000074660000-memory.dmp

    Filesize

    7.7MB

  • memory/2248-17-0x0000000073EB0000-0x0000000074660000-memory.dmp

    Filesize

    7.7MB

  • memory/2248-19-0x00000000053E0000-0x00000000053EA000-memory.dmp

    Filesize

    40KB

  • memory/2248-20-0x0000000073EB0000-0x0000000074660000-memory.dmp

    Filesize

    7.7MB

  • memory/2248-21-0x0000000073EB0000-0x0000000074660000-memory.dmp

    Filesize

    7.7MB