Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
Resource
win10v2004-20240426-en
General
-
Target
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe
-
Size
114KB
-
MD5
4761e6f3d54c1e51e2603a9d2d18ea4f
-
SHA1
534b9a87230fba1c8ca84b306dd4f61725fd8d78
-
SHA256
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db
-
SHA512
452a7c4db915a0c80bc98339f192bda361973ea0cb9ee3ae2ee7cf3872efbb73c1c3f17b8be09aab3b23f7421b41d663c9b6529185e20b23a28bb04c239983d5
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6e:P5eznsjsguGDFqGZ2rie
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3224 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 516 chargeable.exe 468 chargeable.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe" 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 516 set thread context of 468 516 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe Token: 33 468 chargeable.exe Token: SeIncBasePriorityPrivilege 468 chargeable.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exechargeable.exechargeable.exedescription pid process target process PID 760 wrote to memory of 516 760 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe chargeable.exe PID 760 wrote to memory of 516 760 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe chargeable.exe PID 760 wrote to memory of 516 760 585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe chargeable.exe PID 516 wrote to memory of 468 516 chargeable.exe chargeable.exe PID 516 wrote to memory of 468 516 chargeable.exe chargeable.exe PID 516 wrote to memory of 468 516 chargeable.exe chargeable.exe PID 516 wrote to memory of 468 516 chargeable.exe chargeable.exe PID 516 wrote to memory of 468 516 chargeable.exe chargeable.exe PID 516 wrote to memory of 468 516 chargeable.exe chargeable.exe PID 516 wrote to memory of 468 516 chargeable.exe chargeable.exe PID 516 wrote to memory of 468 516 chargeable.exe chargeable.exe PID 468 wrote to memory of 3224 468 chargeable.exe netsh.exe PID 468 wrote to memory of 3224 468 chargeable.exe netsh.exe PID 468 wrote to memory of 3224 468 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe"C:\Users\Admin\AppData\Local\Temp\585467925aa6904de560c6a7f14d1aaff4f4597d4224daa2072b9abdbdd418db.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
114KB
MD5c424423ad6f993228f29cc551f41d7d9
SHA1e1a60fa176f508736c1fadeb81979f092fbfdccf
SHA25629376a2df2a8505bc28c1b67fd4f842bc8386c66610267255183940084dd17d8
SHA5121dd0136fa0e1728cfeffd53c6931b356f0769fda487e7951ca14ceb7588d81f39095bb6beec601a3ef4476dc940583d98ad33c046fc4d02f5b7dc141ddf9748a
-
memory/468-19-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/468-23-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/468-24-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/468-25-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/468-26-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/516-18-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/516-22-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/760-0-0x0000000074672000-0x0000000074673000-memory.dmpFilesize
4KB
-
memory/760-1-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/760-2-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB
-
memory/760-17-0x0000000074670000-0x0000000074C21000-memory.dmpFilesize
5.7MB