Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 14:57
Static task
static1
Behavioral task
behavioral1
Sample
ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe
Resource
win10v2004-20240508-en
General
-
Target
ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe
-
Size
115KB
-
MD5
3e124508b39b68317375be75c14e7ff8
-
SHA1
b885c4facabfd60e597857f45c97a3a4b47dcc29
-
SHA256
ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039
-
SHA512
81a35f10a3adfa1635c0957c69f9a0e6688e1e818144169696e018a0c0bc62b3196c3e5930216b0fc81cd68b0441261b5cb428054bad8a7b0e2b56a122e06670
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL0:P5eznsjsguGDFqGZ2rDL0
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2736 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2136 chargeable.exe 2648 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exepid process 2936 ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe 2936 ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe" ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2136 set thread context of 2648 2136 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exechargeable.exechargeable.exedescription pid process target process PID 2936 wrote to memory of 2136 2936 ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe chargeable.exe PID 2936 wrote to memory of 2136 2936 ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe chargeable.exe PID 2936 wrote to memory of 2136 2936 ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe chargeable.exe PID 2936 wrote to memory of 2136 2936 ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2136 wrote to memory of 2648 2136 chargeable.exe chargeable.exe PID 2648 wrote to memory of 2736 2648 chargeable.exe netsh.exe PID 2648 wrote to memory of 2736 2648 chargeable.exe netsh.exe PID 2648 wrote to memory of 2736 2648 chargeable.exe netsh.exe PID 2648 wrote to memory of 2736 2648 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe"C:\Users\Admin\AppData\Local\Temp\ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEFilesize
1KB
MD5cba2426f2aafe31899569ace05e89796
SHA13bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956Filesize
1KB
MD50376ba21bc7c1d09e61b206c11bbc92c
SHA1443fee1cb47f3497f1e8042a94c5da8655aa7cd7
SHA2561e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab
SHA512f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEFilesize
264B
MD5ad9178ee2e4e9a42e3f7e2f9f1cf38e4
SHA153b15435cf91af0aaacd171917f180135fb4edf4
SHA2563583016a676fab998b13d4230aa7fcc18f4787142efcbb19f932359c84dfebf4
SHA5122740c3ce1f38c83e441673344ab1b5526c6fd48bfa50cf38472dbd60e7b79ca94c70835641c620d63be39b147e85f4b12f74d834f79b2653d1c21e47d3b903f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5381287811bd84caae96847f60cc88358
SHA10482aad619206c8c43d75da4ba78ea23fae63699
SHA256998a4945ad5c94d33dc6481947f94e621efe2e3f45221231ad367077172f2076
SHA512b0e8e26086d895fdde24923c24144428d5052c5514b1042830fa90266d12e8bf9fd96b0067a31e83d03b514907e62f4e08b07d26d0a535273d25b2e58e1f7f72
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD59606b1771b113ef7b813016fe0d01956
SHA10189f8967a149f60e19ec8cdae356d80aee76e35
SHA256d21e6a12fc7b6e21b1117281a270e6d2608b12b890aaa613b79fdb53374fa7ab
SHA512190d725cb39d1e931faa4fda74b47c9194eb5c775ed084b8c7744cfa7dc3ef9e1f59a9aac589aa221f20eae00291f228036549ed2e0b59c31f25bd7fb499b523
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57c15b12ea963efee7830c1aa4c964aba
SHA1e0514064cc4595faff0588ac981f3a7dd026fda8
SHA256d91a52a0b82d7d76381428877e15cfb38888e46d7ca8013493b7529d3a516be3
SHA512ebda8364c2906972f7b3ef9fed4f8e4f56adae73f0bd684ad57575f7651046546693bebc3a6761447cdc69df71a2db5fdd8bb59273ee71ecd9180104509677a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956Filesize
252B
MD5bcb0efc8531390664f6421a5dacbc625
SHA11de9a0f8310938cacfa2ab56b5243c4aed5bf49e
SHA25639f5bcffdd0bbf05c09cee13192a017a9e0e3ca0b0984572f76831179e43f233
SHA5124f4e3f5b4b2a270d9576d0e109aeb346d94924126581e7382656e5c52ebb5de2adc06c490bb7871aa2ac89a82c8c3b86791331ab4ca501d97b1215a4d854b132
-
C:\Users\Admin\AppData\Local\Temp\Cab14BB.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar14CD.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar17D4.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
115KB
MD580bf2a47e4b69c3663e423465c87d016
SHA1d14a7062506fa603de7b3020e485447b9a7a10d7
SHA256ec417422a5d304d32a11e2c96708f9afce1ab4bef1cecc4b2309aae7198cb15c
SHA512eb9bf92aacafe10b9f0a22ec50a040b0db249f3007f144b47e3f851e4f0d8daaf8bd5988f67e470cbc2313e1a8b9c46fde182bd0178c860b9aa9217a86644bb4
-
memory/2648-366-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2648-369-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2648-368-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2936-214-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB
-
memory/2936-0-0x0000000074401000-0x0000000074402000-memory.dmpFilesize
4KB
-
memory/2936-2-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB
-
memory/2936-1-0x0000000074400000-0x00000000749AB000-memory.dmpFilesize
5.7MB