Analysis
-
max time kernel
147s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
Resource
win10v2004-20240426-en
General
-
Target
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
-
Size
114KB
-
MD5
4761e6f3d54c1e51e2603a9d2d18ea4f
-
SHA1
534b9a87230fba1c8ca84b306dd4f61725fd8d78
-
SHA256
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db
-
SHA512
452a7c4db915a0c80bc98339f192bda361973ea0cb9ee3ae2ee7cf3872efbb73c1c3f17b8be09aab3b23f7421b41d663c9b6529185e20b23a28bb04c239983d5
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6e:P5eznsjsguGDFqGZ2rie
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2632 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2836 chargeable.exe 3012 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exepid process 3060 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe 3060 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe" 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2836 set thread context of 3012 2836 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe Token: 33 3012 chargeable.exe Token: SeIncBasePriorityPrivilege 3012 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exechargeable.exechargeable.exedescription pid process target process PID 3060 wrote to memory of 2836 3060 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe chargeable.exe PID 3060 wrote to memory of 2836 3060 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe chargeable.exe PID 3060 wrote to memory of 2836 3060 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe chargeable.exe PID 3060 wrote to memory of 2836 3060 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 2836 wrote to memory of 3012 2836 chargeable.exe chargeable.exe PID 3012 wrote to memory of 2632 3012 chargeable.exe netsh.exe PID 3012 wrote to memory of 2632 3012 chargeable.exe netsh.exe PID 3012 wrote to memory of 2632 3012 chargeable.exe netsh.exe PID 3012 wrote to memory of 2632 3012 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe"C:\Users\Admin\AppData\Local\Temp\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEFilesize
1KB
MD5cba2426f2aafe31899569ace05e89796
SHA13bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956Filesize
1KB
MD50376ba21bc7c1d09e61b206c11bbc92c
SHA1443fee1cb47f3497f1e8042a94c5da8655aa7cd7
SHA2561e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab
SHA512f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEFilesize
264B
MD5bdabfe548e40baf34403ecb3658bee63
SHA1a89fbc0e7e021229ee7daa73e5495e3799012652
SHA256a5bde5786ace7b26ed48e2c41206b43e82ec1745babfb163d8868ab401ea714e
SHA51288357f71badc3bc494308004b8f8003f89c61cc8b7c19a2a474a8ca43026a5bceb668839c1517f46e37b9431e687894665c42043bdeac64c62e326b8f5bddc89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD514e76ea0d2f75800732960dacb7c52ef
SHA1018400c7a5041daf8a016664446d6ca0536b2125
SHA2561def6c60bcb4acf17137cb3fbb10602fccd0b2e8105d4a32f73e97f065c43d22
SHA5128383257b68d3dd8bad7efac21a32b74c827fdb3a1edda192ca3b18ddb46f50efaa9af5595a8f2068cb39fba1959473e29176a5d700aa57369035516c31ba53a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5354866e32b39d0d731b1df2e3717fd5b
SHA1db603a0bff0aeec56b6e0a896b9f1c1b38d5db49
SHA25680c76cec917d3e44bb21d9a8553618630acb7196cfdfd4b47b08fccd8b7f07c9
SHA512cd45cf2a11950f656912bb559c429dfe700d9d4faec9c20d50eeb853d84a53de3f724db9b4ad3e14f34f250373cc0aa0a19f032818ce92bf4167340002979ad6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58a632e6c4ee254bb87cd9141c6441083
SHA13dbd7f1837b61429664eb2dc82cef667d0da78f5
SHA2563f566e815383bbd50dd856a76a28f4ca397d2a35a5bff709dff0d752a13114f1
SHA512cee3203db01b3cd74fcb3cc0afe3b667f7bf2e1828faf6e478aa0cdbd3e06c46282abca0ff0b79fa859ed15420c0e41b2fd69d0a0ee3167b1b62bfeb6b962614
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956Filesize
252B
MD594375775dc3e74c6eb22486fe0ff6d72
SHA18e693114f757d83a4f0ed4d22123bc5694435315
SHA25662a700a3146a1dc84f9a1d299460022a9c71bd6d71a00e41afef3018b0c1b38c
SHA512064f2ffde1c47ec4a10dc9ee69a1f54a51378046a91d75ad949eeb3eb7235d059add0744fe0457454efd7a8cd4e61f04753128f4bcf2ffbbbef9e6236416a483
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD58fd0efcb2c6dc4efa82254919b8ee567
SHA1d4780cd13a3e6ccdfa2cf82748f238c0a66ce7f5
SHA256e39eebef6cd636cc622af4973e705f5dee715cb6462cbdb17da113236eb32a96
SHA51278e4156797457123f661418c8903efba41fbdf8b042f6fddf0fed016b3aa1e7ceb919fb2b74bd87b275748eb8e8e1a2bb90b77f2dec7a39aa2888a6097ca3eee
-
C:\Users\Admin\AppData\Local\Temp\Tar1EDB.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
114KB
MD53505d371c71a83cf4c17f160fe4d6dae
SHA1eb35753983d3c89ecdb0f01f9cc96da5a2dd3b08
SHA256f42fcbbea8c76c78b7e296292c3f1b347d83b2cb7ce36cc479987d79500ac3b6
SHA512c9da423c1a5b3fe194c2fca10f15a2f6a984d5b4388bacd8cfc29641cdf861aad9f955a4d73f27a1ee8b0b4f060eae96d185b8ffd696cc5bae2b6a9ff2453b2c
-
memory/3012-362-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3012-365-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3012-364-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3060-191-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB
-
memory/3060-0-0x0000000074AC1000-0x0000000074AC2000-memory.dmpFilesize
4KB
-
memory/3060-1-0x0000000074AC0000-0x000000007506B000-memory.dmpFilesize
5.7MB