Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 12:50
Static task
static1
Behavioral task
behavioral1
Sample
aff78e3bfeb28385f20384fc6e3f3327.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
aff78e3bfeb28385f20384fc6e3f3327.exe
Resource
win10v20201028
General
-
Target
aff78e3bfeb28385f20384fc6e3f3327.exe
-
Size
100KB
-
MD5
aff78e3bfeb28385f20384fc6e3f3327
-
SHA1
d448f9c3a5df6c8ae81e3178f14b39ce63619b7d
-
SHA256
3f79c48003089ef4f35e9fdcfaeba9323c1a80251e91a3f1bd3673d2ec02a506
-
SHA512
9e7fbbe9ba4914828859936f5ad6330a65b1aa58afe26a611a0b6f3d16a5387a4b707790ccb2d67a822f6fc14c4f92b48fbbfffc3af4a04e329daf78ca1d54ee
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 996 chargeable.exe 1560 chargeable.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aff78e3bfeb28385f20384fc6e3f3327.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" aff78e3bfeb28385f20384fc6e3f3327.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aff78e3bfeb28385f20384fc6e3f3327.exe" aff78e3bfeb28385f20384fc6e3f3327.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 996 set thread context of 1560 996 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe Token: 33 1560 chargeable.exe Token: SeIncBasePriorityPrivilege 1560 chargeable.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
aff78e3bfeb28385f20384fc6e3f3327.exechargeable.exechargeable.exedescription pid process target process PID 4092 wrote to memory of 996 4092 aff78e3bfeb28385f20384fc6e3f3327.exe chargeable.exe PID 4092 wrote to memory of 996 4092 aff78e3bfeb28385f20384fc6e3f3327.exe chargeable.exe PID 4092 wrote to memory of 996 4092 aff78e3bfeb28385f20384fc6e3f3327.exe chargeable.exe PID 996 wrote to memory of 1560 996 chargeable.exe chargeable.exe PID 996 wrote to memory of 1560 996 chargeable.exe chargeable.exe PID 996 wrote to memory of 1560 996 chargeable.exe chargeable.exe PID 996 wrote to memory of 1560 996 chargeable.exe chargeable.exe PID 996 wrote to memory of 1560 996 chargeable.exe chargeable.exe PID 996 wrote to memory of 1560 996 chargeable.exe chargeable.exe PID 996 wrote to memory of 1560 996 chargeable.exe chargeable.exe PID 996 wrote to memory of 1560 996 chargeable.exe chargeable.exe PID 1560 wrote to memory of 3212 1560 chargeable.exe netsh.exe PID 1560 wrote to memory of 3212 1560 chargeable.exe netsh.exe PID 1560 wrote to memory of 3212 1560 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aff78e3bfeb28385f20384fc6e3f3327.exe"C:\Users\Admin\AppData\Local\Temp\aff78e3bfeb28385f20384fc6e3f3327.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.logMD5
33b323c15555929c70c286920f658bbc
SHA10b12cd2ae60c717f2687103be76dd21841338a64
SHA2561fc5f1cfb7c70c8be091d216610b21939e399995130cf1a0320d00dcc26017e7
SHA5129bb73d2eb87bbe889817b48974e606672779c517119137e2ec83fb4754a580509811343caf3b4e2128b2d1872b3971d09a782bbf8464520a24b040fec508385c
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeMD5
545f91c378997f86c1963fbdeae5c463
SHA12a8dc0913b0b70f54aab784331408211acc4ebfe
SHA256200491a7b5247f2dea5f3576ce55990e2bfcbd10b36fcbc1fbb5f42aaac6f4b2
SHA512314b36f632777b5b96c3eaa7b5d7560db28bf1d9431eb582895c09f735217de42d18881c778f492617ff3aff4375c57a8193c51119e5f47af4235e2682d80505
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeMD5
545f91c378997f86c1963fbdeae5c463
SHA12a8dc0913b0b70f54aab784331408211acc4ebfe
SHA256200491a7b5247f2dea5f3576ce55990e2bfcbd10b36fcbc1fbb5f42aaac6f4b2
SHA512314b36f632777b5b96c3eaa7b5d7560db28bf1d9431eb582895c09f735217de42d18881c778f492617ff3aff4375c57a8193c51119e5f47af4235e2682d80505
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeMD5
545f91c378997f86c1963fbdeae5c463
SHA12a8dc0913b0b70f54aab784331408211acc4ebfe
SHA256200491a7b5247f2dea5f3576ce55990e2bfcbd10b36fcbc1fbb5f42aaac6f4b2
SHA512314b36f632777b5b96c3eaa7b5d7560db28bf1d9431eb582895c09f735217de42d18881c778f492617ff3aff4375c57a8193c51119e5f47af4235e2682d80505
-
memory/996-2-0x0000000000000000-mapping.dmp
-
memory/1560-5-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1560-6-0x000000000040748E-mapping.dmp
-
memory/3212-9-0x0000000000000000-mapping.dmp