Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
Resource
win10v2004-20240226-en
General
-
Target
31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
-
Size
106KB
-
MD5
ed1ea689d80a7fab60271d8d24267a5b
-
SHA1
cbc58903e5ef9a21f32bd86c158039eead84c2e3
-
SHA256
31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2
-
SHA512
1ae6c5549c567994c14301f5808bb835084344574b604dbd6b8e0efc208a7b3b96da55030d9e2f406cabb8e0b486f46e87c670d36308006a0a5142e98f9134ec
-
SSDEEP
1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoe:w5eznsjsguGDFqGx8egoe
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3764 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 384 chargeable.exe 2912 chargeable.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe" 31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 384 set thread context of 2912 384 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe Token: 33 2912 chargeable.exe Token: SeIncBasePriorityPrivilege 2912 chargeable.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exechargeable.exechargeable.exedescription pid process target process PID 1600 wrote to memory of 384 1600 31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe chargeable.exe PID 1600 wrote to memory of 384 1600 31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe chargeable.exe PID 1600 wrote to memory of 384 1600 31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe chargeable.exe PID 384 wrote to memory of 2912 384 chargeable.exe chargeable.exe PID 384 wrote to memory of 2912 384 chargeable.exe chargeable.exe PID 384 wrote to memory of 2912 384 chargeable.exe chargeable.exe PID 384 wrote to memory of 2912 384 chargeable.exe chargeable.exe PID 384 wrote to memory of 2912 384 chargeable.exe chargeable.exe PID 384 wrote to memory of 2912 384 chargeable.exe chargeable.exe PID 384 wrote to memory of 2912 384 chargeable.exe chargeable.exe PID 384 wrote to memory of 2912 384 chargeable.exe chargeable.exe PID 2912 wrote to memory of 3764 2912 chargeable.exe netsh.exe PID 2912 wrote to memory of 3764 2912 chargeable.exe netsh.exe PID 2912 wrote to memory of 3764 2912 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe"C:\Users\Admin\AppData\Local\Temp\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.logFilesize
400B
MD50a9b4592cd49c3c21f6767c2dabda92f
SHA1f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA5126b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
106KB
MD52b8f9366b9d9545a12195648c260162a
SHA1e2bd79b49aa5eb8a3f60918fdbf45cc3dc000118
SHA2568e4000d87c8208514892358a60b5f2c1f9417b5103bba7b2f160003baad92c1d
SHA5126bfec9c81f7e59519ac225e85821975090228b081437f2a33400a13589ef65ce729e9f665c76ba6582271c2123373f9d93ee14b87ea958038dc9581d6a2dc0e7
-
memory/384-25-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/384-17-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/384-18-0x0000000000EF0000-0x0000000000F00000-memory.dmpFilesize
64KB
-
memory/384-20-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/1600-1-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/1600-2-0x0000000001530000-0x0000000001540000-memory.dmpFilesize
64KB
-
memory/1600-19-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/1600-0-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/2912-21-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2912-26-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/2912-27-0x0000000000E50000-0x0000000000E60000-memory.dmpFilesize
64KB
-
memory/2912-28-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/2912-29-0x00000000750D0000-0x0000000075681000-memory.dmpFilesize
5.7MB
-
memory/2912-30-0x0000000000E50000-0x0000000000E60000-memory.dmpFilesize
64KB