Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
Resource
win10v2004-20240426-en
General
-
Target
b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe
-
Size
114KB
-
MD5
4edd985941bb709aba126d47f208da70
-
SHA1
402b5012a81fde9c79b108e436a3c8775c32c3c9
-
SHA256
b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376
-
SHA512
71f1508d54e2a547ecd6989e1017294f5f9459354089573e45b4e33d91875da220e629299de99ff5b418e33daee97d460b6be93a58a4662c5a284bab9811c01d
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDF:P5eznsjsguGDFqGZ2rDF
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2404 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2476 chargeable.exe 2748 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exepid process 2456 b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe 2456 b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe" b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2476 set thread context of 2748 2476 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exechargeable.exechargeable.exedescription pid process target process PID 2456 wrote to memory of 2476 2456 b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe chargeable.exe PID 2456 wrote to memory of 2476 2456 b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe chargeable.exe PID 2456 wrote to memory of 2476 2456 b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe chargeable.exe PID 2456 wrote to memory of 2476 2456 b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2476 wrote to memory of 2748 2476 chargeable.exe chargeable.exe PID 2748 wrote to memory of 2404 2748 chargeable.exe netsh.exe PID 2748 wrote to memory of 2404 2748 chargeable.exe netsh.exe PID 2748 wrote to memory of 2404 2748 chargeable.exe netsh.exe PID 2748 wrote to memory of 2404 2748 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe"C:\Users\Admin\AppData\Local\Temp\b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEFilesize
1KB
MD5cba2426f2aafe31899569ace05e89796
SHA13bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956Filesize
1KB
MD50376ba21bc7c1d09e61b206c11bbc92c
SHA1443fee1cb47f3497f1e8042a94c5da8655aa7cd7
SHA2561e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab
SHA512f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEFilesize
264B
MD52de8fb425b947fa27d2afeccbafc39b0
SHA1039b182078147c6bde0a1cbed41e4d91786cd072
SHA2565cea1385dee720a2c1fe5faab43a81aa1e801f2fd0e8d8d7e5731846a67cb0a5
SHA5120601ef9f6afde666563ece54de6416d56d506a821ceefbd3e5756c61b66d56db1d1c09fbafd245c283324283595c4d5e6eb57979ede18eafc6711fd89e82b497
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD589fea15463647af38cb1eca2fcc76f56
SHA12bf012ba0acd4caca56b8e5db1b52761345b8f69
SHA2564a3b61ff9bad384566ca11e9c5b496f97182fc231940eacaba9d1ebb9ed2570b
SHA5127153cade205ccb03b1030aa96649ff0c9ee58ff304320cae0efcce2352d174e67562667f166244bdf6ae26e7dc4c8dbfa956831f32e0c535e44f094c1c255868
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5bc5ced4de52721c99818ef1ae29afb20
SHA1665803c712df88346eda32232c58cc5fe6a8da80
SHA2563869fe722ed9993269cbb397eb6ea6f01c2bc2ee047f849b87eed28cc48d9028
SHA512ea8118a8a8999e068ac4d5abdeb26f5cccb2c4aec909df3c92e307d010819baf444226dcce1a5f066a92e2358a874265cc264322549db1c958832d8b785b15dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50dcbea13d7961e8d067fd4c2ab9cf87b
SHA148ee884975b38c7377f245187e5ca84c7bdc17c1
SHA256e653cb7132e87dce979281ee56ac5984186b0b510b04d8ee34799b96e6cdab0a
SHA51213713e72f6f27d68a3dc2c61d44d77ebc2fff5395dd581365352ff22d15a7947723069153a975800f695b85c3745c94635a6fc19a42a3b464d21a334644cd98d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956Filesize
252B
MD548bd49cd7abebb89ca140a601d65d15b
SHA1a89c0862d6fbff2d257a1cf53c3e60b4305c3ba7
SHA25612e6c83c278c8ea7b8e263a6ff6fac736e88b8482807e0ba0ec6a6252fdeb042
SHA5128a34fc3eae4de89b35826c7d9ace2a0e091b7c673077023428c4fa42fcc8a1b23e679bfa6c6640a70629998a306dc0e2e6c483889756040bc393f03672c0a56e
-
C:\Users\Admin\AppData\Local\Temp\Cab9262.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Tar9284.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Local\Temp\Tar9B07.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
114KB
MD564c86e3a75e3b6bfdc47b8b31ea96ad9
SHA1ec0e4ad32f28f33897652c1518c5be9b9219a68a
SHA256d3e1a1667049b74bbebccd18cc9d3dc9f42e1aa184e8b79a41df4645e6038a4d
SHA512c0090efa3a55039ac4256a9556a375383032455e4b635972ddc6bb9cd5e018f1376b9fa2a4dbd8452e126a150011fe56d56ef6a687732f71462f8ea2b0751d53
-
memory/2456-197-0x0000000074C60000-0x000000007520B000-memory.dmpFilesize
5.7MB
-
memory/2456-0-0x0000000074C61000-0x0000000074C62000-memory.dmpFilesize
4KB
-
memory/2456-3-0x0000000074C60000-0x000000007520B000-memory.dmpFilesize
5.7MB
-
memory/2456-1-0x0000000074C60000-0x000000007520B000-memory.dmpFilesize
5.7MB
-
memory/2748-366-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2748-368-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2748-369-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB