Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
Resource
win10v2004-20240508-en
General
-
Target
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe
-
Size
114KB
-
MD5
4be9986eb800ea45ff736671e9756ffe
-
SHA1
e30372bd80efe2da17d21e4026ab2a42b1572290
-
SHA256
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6
-
SHA512
4fb83428ad5899f2134dad76fb4c098b5037d1c0e5d8924741fab9d75b003838b15756cd4016cdfd99da82ff6913d6d6efc7ae9f3beaa1995346ef0ef5d46d22
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6QK:P5eznsjsguGDFqGZ2rih
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2364 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 1028 chargeable.exe 2676 chargeable.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe" 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 1028 set thread context of 2676 1028 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe Token: 33 2676 chargeable.exe Token: SeIncBasePriorityPrivilege 2676 chargeable.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exechargeable.exechargeable.exedescription pid process target process PID 2252 wrote to memory of 1028 2252 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe chargeable.exe PID 2252 wrote to memory of 1028 2252 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe chargeable.exe PID 2252 wrote to memory of 1028 2252 5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe chargeable.exe PID 1028 wrote to memory of 2676 1028 chargeable.exe chargeable.exe PID 1028 wrote to memory of 2676 1028 chargeable.exe chargeable.exe PID 1028 wrote to memory of 2676 1028 chargeable.exe chargeable.exe PID 1028 wrote to memory of 2676 1028 chargeable.exe chargeable.exe PID 1028 wrote to memory of 2676 1028 chargeable.exe chargeable.exe PID 1028 wrote to memory of 2676 1028 chargeable.exe chargeable.exe PID 1028 wrote to memory of 2676 1028 chargeable.exe chargeable.exe PID 1028 wrote to memory of 2676 1028 chargeable.exe chargeable.exe PID 2676 wrote to memory of 2364 2676 chargeable.exe netsh.exe PID 2676 wrote to memory of 2364 2676 chargeable.exe netsh.exe PID 2676 wrote to memory of 2364 2676 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe"C:\Users\Admin\AppData\Local\Temp\5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
114KB
MD55c87ec8cc6db4089636c99c2840a35a8
SHA1e116ffc69ff12e5eecff53bc7ffaa3fd586fd670
SHA25665e15e3dcb515cff9f93ec85dd458606722734b5f10ca5aa1466712170b0caaa
SHA512bdefc989be1a72b26063b247f95740235b010a90af4c8b8e9084885cedc714835a872f94f01608b9e9f3c25dca7cad010a9f1a8e943b564cdd4c6a5b87676633
-
memory/1028-18-0x0000000074D30000-0x00000000752E1000-memory.dmpFilesize
5.7MB
-
memory/1028-19-0x0000000074D30000-0x00000000752E1000-memory.dmpFilesize
5.7MB
-
memory/1028-24-0x0000000074D30000-0x00000000752E1000-memory.dmpFilesize
5.7MB
-
memory/2252-0-0x0000000074D32000-0x0000000074D33000-memory.dmpFilesize
4KB
-
memory/2252-1-0x0000000074D30000-0x00000000752E1000-memory.dmpFilesize
5.7MB
-
memory/2252-2-0x0000000074D30000-0x00000000752E1000-memory.dmpFilesize
5.7MB
-
memory/2252-17-0x0000000074D30000-0x00000000752E1000-memory.dmpFilesize
5.7MB
-
memory/2676-20-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2676-23-0x0000000074D30000-0x00000000752E1000-memory.dmpFilesize
5.7MB
-
memory/2676-25-0x0000000074D30000-0x00000000752E1000-memory.dmpFilesize
5.7MB