Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe
Resource
win10v2004-20240426-en
General
-
Target
89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe
-
Size
114KB
-
MD5
43b54cfac304eeaa653ff9ffbe260427
-
SHA1
b65b4fb9a6e70f74dc34b2d5c474642a13e84222
-
SHA256
89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0
-
SHA512
b22fb5408f1412922e61ba0a1a73de9bbb7361490686420dfb0cb3542c202e8f1fa320938fb1ae2b8c39701dc151e73ee0dd883954f91c11e7640afe437d2277
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6Aa:P5eznsjsguGDFqGZ2riAa
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1700 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 4464 chargeable.exe 840 chargeable.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe" 89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 4464 set thread context of 840 4464 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe Token: 33 840 chargeable.exe Token: SeIncBasePriorityPrivilege 840 chargeable.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exechargeable.exechargeable.exedescription pid process target process PID 436 wrote to memory of 4464 436 89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe chargeable.exe PID 436 wrote to memory of 4464 436 89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe chargeable.exe PID 436 wrote to memory of 4464 436 89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe chargeable.exe PID 4464 wrote to memory of 840 4464 chargeable.exe chargeable.exe PID 4464 wrote to memory of 840 4464 chargeable.exe chargeable.exe PID 4464 wrote to memory of 840 4464 chargeable.exe chargeable.exe PID 4464 wrote to memory of 840 4464 chargeable.exe chargeable.exe PID 4464 wrote to memory of 840 4464 chargeable.exe chargeable.exe PID 4464 wrote to memory of 840 4464 chargeable.exe chargeable.exe PID 4464 wrote to memory of 840 4464 chargeable.exe chargeable.exe PID 4464 wrote to memory of 840 4464 chargeable.exe chargeable.exe PID 840 wrote to memory of 1700 840 chargeable.exe netsh.exe PID 840 wrote to memory of 1700 840 chargeable.exe netsh.exe PID 840 wrote to memory of 1700 840 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe"C:\Users\Admin\AppData\Local\Temp\89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
114KB
MD561102355f95cbc430c0cf9762af85ff0
SHA1acc48c897e2937eae212b6386fc33179f8c3047b
SHA2560d30ee16e59f9929b0d85fff1c300b337c524c7d265f2449524337a6f010f7fc
SHA5124217cc73bcaddcaf5cb1ef2ffe592f924439925973f8fe1736c36b77698200a7b505cf087bf746de0bf040b4d4c462256b075aa148ab74fc3041abd59ee14bdd
-
memory/436-0-0x0000000074A92000-0x0000000074A93000-memory.dmpFilesize
4KB
-
memory/436-1-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/436-16-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/840-18-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/840-23-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/840-21-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/840-24-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/840-25-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/4464-17-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/4464-22-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB