Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 12:50
Static task
static1
Behavioral task
behavioral1
Sample
aff78e3bfeb28385f20384fc6e3f3327.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
aff78e3bfeb28385f20384fc6e3f3327.exe
Resource
win10v20201028
General
-
Target
aff78e3bfeb28385f20384fc6e3f3327.exe
-
Size
100KB
-
MD5
aff78e3bfeb28385f20384fc6e3f3327
-
SHA1
d448f9c3a5df6c8ae81e3178f14b39ce63619b7d
-
SHA256
3f79c48003089ef4f35e9fdcfaeba9323c1a80251e91a3f1bd3673d2ec02a506
-
SHA512
9e7fbbe9ba4914828859936f5ad6330a65b1aa58afe26a611a0b6f3d16a5387a4b707790ccb2d67a822f6fc14c4f92b48fbbfffc3af4a04e329daf78ca1d54ee
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 1344 chargeable.exe 1352 chargeable.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
aff78e3bfeb28385f20384fc6e3f3327.exepid process 1120 aff78e3bfeb28385f20384fc6e3f3327.exe 1120 aff78e3bfeb28385f20384fc6e3f3327.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aff78e3bfeb28385f20384fc6e3f3327.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aff78e3bfeb28385f20384fc6e3f3327.exe" aff78e3bfeb28385f20384fc6e3f3327.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" aff78e3bfeb28385f20384fc6e3f3327.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 1344 set thread context of 1352 1344 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe Token: 33 1352 chargeable.exe Token: SeIncBasePriorityPrivilege 1352 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
aff78e3bfeb28385f20384fc6e3f3327.exechargeable.exechargeable.exedescription pid process target process PID 1120 wrote to memory of 1344 1120 aff78e3bfeb28385f20384fc6e3f3327.exe chargeable.exe PID 1120 wrote to memory of 1344 1120 aff78e3bfeb28385f20384fc6e3f3327.exe chargeable.exe PID 1120 wrote to memory of 1344 1120 aff78e3bfeb28385f20384fc6e3f3327.exe chargeable.exe PID 1120 wrote to memory of 1344 1120 aff78e3bfeb28385f20384fc6e3f3327.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1344 wrote to memory of 1352 1344 chargeable.exe chargeable.exe PID 1352 wrote to memory of 1184 1352 chargeable.exe netsh.exe PID 1352 wrote to memory of 1184 1352 chargeable.exe netsh.exe PID 1352 wrote to memory of 1184 1352 chargeable.exe netsh.exe PID 1352 wrote to memory of 1184 1352 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aff78e3bfeb28385f20384fc6e3f3327.exe"C:\Users\Admin\AppData\Local\Temp\aff78e3bfeb28385f20384fc6e3f3327.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeMD5
abb9fd4e3892c4e712e8594f8af7ba27
SHA1cd30cac59687d163e275afbf8ed9998d3e011c65
SHA25659ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3
SHA512c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeMD5
abb9fd4e3892c4e712e8594f8af7ba27
SHA1cd30cac59687d163e275afbf8ed9998d3e011c65
SHA25659ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3
SHA512c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeMD5
abb9fd4e3892c4e712e8594f8af7ba27
SHA1cd30cac59687d163e275afbf8ed9998d3e011c65
SHA25659ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3
SHA512c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9
-
\Users\Admin\AppData\Roaming\confuse\chargeable.exeMD5
abb9fd4e3892c4e712e8594f8af7ba27
SHA1cd30cac59687d163e275afbf8ed9998d3e011c65
SHA25659ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3
SHA512c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9
-
\Users\Admin\AppData\Roaming\confuse\chargeable.exeMD5
abb9fd4e3892c4e712e8594f8af7ba27
SHA1cd30cac59687d163e275afbf8ed9998d3e011c65
SHA25659ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3
SHA512c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9
-
memory/1184-12-0x0000000000000000-mapping.dmp
-
memory/1344-4-0x0000000000000000-mapping.dmp
-
memory/1352-7-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1352-8-0x000000000040748E-mapping.dmp
-
memory/1352-11-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1352-10-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB