Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe
Resource
win10v2004-20240412-en
General
-
Target
ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe
-
Size
107KB
-
MD5
e53219c25838d5d1eba21c5608dba74d
-
SHA1
63b1c1c5ae014c01986c59a880209083823151b6
-
SHA256
ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b
-
SHA512
f6e3bda1ba52e3d4865cb1e25a3b65091f3fd386d37a2144fee9bbeed331be926cf09e38fd226043416b4e18c2deff30d9ab97b7099532cb3f86d047e0ad6e4b
-
SSDEEP
1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOE:w5eznsjsguGDFqGx8egoxmOE
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3344 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2544 chargeable.exe 4380 chargeable.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe" ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2544 set thread context of 4380 2544 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe Token: 33 4380 chargeable.exe Token: SeIncBasePriorityPrivilege 4380 chargeable.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exechargeable.exechargeable.exedescription pid process target process PID 2284 wrote to memory of 2544 2284 ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe chargeable.exe PID 2284 wrote to memory of 2544 2284 ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe chargeable.exe PID 2284 wrote to memory of 2544 2284 ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe chargeable.exe PID 2544 wrote to memory of 4380 2544 chargeable.exe chargeable.exe PID 2544 wrote to memory of 4380 2544 chargeable.exe chargeable.exe PID 2544 wrote to memory of 4380 2544 chargeable.exe chargeable.exe PID 2544 wrote to memory of 4380 2544 chargeable.exe chargeable.exe PID 2544 wrote to memory of 4380 2544 chargeable.exe chargeable.exe PID 2544 wrote to memory of 4380 2544 chargeable.exe chargeable.exe PID 2544 wrote to memory of 4380 2544 chargeable.exe chargeable.exe PID 2544 wrote to memory of 4380 2544 chargeable.exe chargeable.exe PID 4380 wrote to memory of 3344 4380 chargeable.exe netsh.exe PID 4380 wrote to memory of 3344 4380 chargeable.exe netsh.exe PID 4380 wrote to memory of 3344 4380 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe"C:\Users\Admin\AppData\Local\Temp\ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
107KB
MD54cc98e7a1b77a0e833f68020e855273f
SHA1e347a239fa17a31a08163011ecffa8c3e0b032cf
SHA256b0ff66881bada5726b248c5f7fa3d0a784e41646d93be89f4c915eba5eefc299
SHA5121a0ea22e9f41025148995f308d62b33c05c08a66bdd52a87dc98658fe5cf7b2aa2c1a0c0f1807a75c6ba8a4d7af3d98556c3994fba6e482ac918a1928e47e121
-
memory/2284-1-0x0000000000D20000-0x0000000000D30000-memory.dmpFilesize
64KB
-
memory/2284-2-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB
-
memory/2284-18-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB
-
memory/2284-0-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB
-
memory/2544-24-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB
-
memory/2544-17-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB
-
memory/4380-19-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4380-23-0x0000000001400000-0x0000000001410000-memory.dmpFilesize
64KB
-
memory/4380-25-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB
-
memory/4380-22-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB
-
memory/4380-26-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB
-
memory/4380-27-0x0000000001400000-0x0000000001410000-memory.dmpFilesize
64KB
-
memory/4380-28-0x0000000074810000-0x0000000074DC1000-memory.dmpFilesize
5.7MB