Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
Resource
win10v2004-20240508-en
General
-
Target
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
-
Size
114KB
-
MD5
4be9986eb800ea45ff736671e9756ffe
-
SHA1
e30372bd80efe2da17d21e4026ab2a42b1572290
-
SHA256
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6
-
SHA512
4fb83428ad5899f2134dad76fb4c098b5037d1c0e5d8924741fab9d75b003838b15756cd4016cdfd99da82ff6913d6d6efc7ae9f3beaa1995346ef0ef5d46d22
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6QK:P5eznsjsguGDFqGZ2rih
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2564 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2012 chargeable.exe 2588 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exepid process 2020 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe 2020 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe" 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2012 set thread context of 2588 2012 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe Token: 33 2588 chargeable.exe Token: SeIncBasePriorityPrivilege 2588 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exechargeable.exechargeable.exedescription pid process target process PID 2020 wrote to memory of 2012 2020 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe chargeable.exe PID 2020 wrote to memory of 2012 2020 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe chargeable.exe PID 2020 wrote to memory of 2012 2020 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe chargeable.exe PID 2020 wrote to memory of 2012 2020 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2012 wrote to memory of 2588 2012 chargeable.exe chargeable.exe PID 2588 wrote to memory of 2564 2588 chargeable.exe netsh.exe PID 2588 wrote to memory of 2564 2588 chargeable.exe netsh.exe PID 2588 wrote to memory of 2564 2588 chargeable.exe netsh.exe PID 2588 wrote to memory of 2564 2588 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe"C:\Users\Admin\AppData\Local\Temp\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEFilesize
1KB
MD5cba2426f2aafe31899569ace05e89796
SHA13bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956Filesize
1KB
MD50376ba21bc7c1d09e61b206c11bbc92c
SHA1443fee1cb47f3497f1e8042a94c5da8655aa7cd7
SHA2561e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab
SHA512f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEFilesize
264B
MD537549294a76a582acc3c536305774f21
SHA185b6c4cf7aa401895e3429b409b647befcfdf335
SHA2569b8357ec997d97f8dcbc44728c5aded6186916987b45680e656bc45c5e163f4a
SHA512ea2c790c8fd67d8bfd4ae595ac840dac49c4ed7a40d41021c5d300023b613457672de8195acc9a9cf488c79aa76df090db15a0f329ca2bc7ee11a52bbfef2987
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53a5bfe0eaf3d61f1dde450bb0650b7cb
SHA10e4a4df7ad82830c6a0dd021a0c3fd2f9fa2161e
SHA256c91ce415bf65bd40d2fe824c0603b9343e8255e4973b4aac22842d3201f4df77
SHA512fd90e7eb77bf1b1e266b446310f8a3eb5a4f5edabf6239b22895dad778a06c2942f51d3b36a1b28c59e4be8f17b511ebcbe404f7739eba385f293247c6edba7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD556a3a204cd1df50cfe6b4c12e0a927b8
SHA1691cdd7890e545182dd1d79fdb16e2ef5df0619c
SHA25607b02a946254868b89597dd9d622371241be93b2e07886575d0696a93b5219b9
SHA51290a50502b4822fb28739eddd61168ac311a812135ba547191dc0c17f4d9bb1605bf312ab68f261bc9e051954537367976b14fd608ad3932798a958e211c54cc9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59d5fa179e2ee5a28d124cb83aa698f33
SHA1442b3aa105ec68bf0e95df30f57497672a78076c
SHA2564bd8c783b6902dbf8cb7f85390e75d74d622497b26ec1ab74e771bf87f5bb708
SHA51205a9236924304bc5e5189676bf2435a6f1077595ca403794a1945330cf51b14f6c453ac5cc1f2ecaba8486dcb65ce553cf4d00c352e6d748c559ef41740331f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956Filesize
252B
MD51b5b01457f4d822a54edc97254864196
SHA141ae2a7c14669726e371c886717cb657683e12bc
SHA256b81ceb845b21eb6d9f0ba58d8f5812685ac71343d6c1ab86e1267f9b58640be5
SHA5123e5480f77729b3f0ad44be3b6525d62f5aa352222e6c5121da77d95cd58da447539a5d7fb19dbb5efe8235282cb8d77fb67287f9ea0ef347fed0d23ddece2e99
-
C:\Users\Admin\AppData\Local\Temp\Cab1FC2.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar1FE5.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar4807.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
114KB
MD55af06fb1a6eb5606f70696d5fe54f4f1
SHA1cc1291d8c9de36c5f0878a3b62428131398ad6b6
SHA2560c04b636b03bae677bf358816d8fc6487cf4304b8a32d5bf08915e7ea430601b
SHA512c8462e52b18ff14a580bffd2bc12aa4f4f7e39311cff07b70ce365cc65ccdf75026e005cd4fea95c8a41ca8d5ef58371e23639d4fd5954e5d5491c05132b4231
-
memory/2020-206-0x0000000074F00000-0x00000000754AB000-memory.dmpFilesize
5.7MB
-
memory/2020-0-0x0000000074F01000-0x0000000074F02000-memory.dmpFilesize
4KB
-
memory/2020-2-0x0000000074F00000-0x00000000754AB000-memory.dmpFilesize
5.7MB
-
memory/2020-1-0x0000000074F00000-0x00000000754AB000-memory.dmpFilesize
5.7MB
-
memory/2588-366-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2588-369-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2588-368-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB