Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 05:11
Static task
static1
Behavioral task
behavioral1
Sample
fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe
Resource
win10v2004-20240426-en
General
-
Target
fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe
-
Size
115KB
-
MD5
24afb670bfc40042810d583d94576877
-
SHA1
cccb6c6ef2c56d0d3eb22278a337900b410bdceb
-
SHA256
fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6
-
SHA512
f68b51b700b68ee4a8084e9d6c6ad8c1bf1c506854bd79f258d4641afb2fcae758b6712f14946718af3ab2f2d929fbec31fd8fdd637c9341e1bb3869e54ce5d4
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDIIn:P5eznsjsguGDFqGZ2rDII
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2260 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2072 chargeable.exe 2648 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exepid process 2340 fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe 2340 fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe" fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2072 set thread context of 2648 2072 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe Token: 33 2648 chargeable.exe Token: SeIncBasePriorityPrivilege 2648 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exechargeable.exechargeable.exedescription pid process target process PID 2340 wrote to memory of 2072 2340 fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe chargeable.exe PID 2340 wrote to memory of 2072 2340 fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe chargeable.exe PID 2340 wrote to memory of 2072 2340 fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe chargeable.exe PID 2340 wrote to memory of 2072 2340 fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2072 wrote to memory of 2648 2072 chargeable.exe chargeable.exe PID 2648 wrote to memory of 2260 2648 chargeable.exe netsh.exe PID 2648 wrote to memory of 2260 2648 chargeable.exe netsh.exe PID 2648 wrote to memory of 2260 2648 chargeable.exe netsh.exe PID 2648 wrote to memory of 2260 2648 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe"C:\Users\Admin\AppData\Local\Temp\fd3afc88f051b6a3bcb022788fa52b820cf112bd806448b8818659bf2d527df6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEFilesize
1KB
MD5cba2426f2aafe31899569ace05e89796
SHA13bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956Filesize
1KB
MD50376ba21bc7c1d09e61b206c11bbc92c
SHA1443fee1cb47f3497f1e8042a94c5da8655aa7cd7
SHA2561e377d5df77b88b5dd8cde349ceb5c939eaddb2af2676ec91346f9ef7e24a0ab
SHA512f68db4ce81924b2531b3467a23e02b2913086b6293d0d5a81fe9dbee941504502ea590d4667e3e758f3b4986384200700cb919bc7a5b75a29080e66b29aa9e23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEFilesize
264B
MD5e8dfae196a6ba8cabc5a0c503cbd1397
SHA18d4082c6adddf98c13ecbe4f344e6cc9df995b24
SHA256e068fdd9a442c986aa3c7374793f16f2287b1a4758cbf3a5b39b20683c7d9913
SHA5129d509e6d20ee1fe0aea4aee2bc8ff43fe346a463bfb9c80a43a55a3291e52f4a7c1e6c1157a8a9101d17587a4dc10c3354aec312ed16249bfd324de10bb7930e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5856f6ed1d8a30672a7a5f035c9d7747d
SHA10c7700aef30f53a0d5550e474f40debe9435f9da
SHA2568fb7351a8c9df00b3b8f286d949781810b822def10e583456a79fd0c2229e0ae
SHA512e26d8d2ae3cde6affdd59c7d4c7e3bc12fbf1364e84116465428a6ec8e9709c58d8a0670db1760edf7cd6c0b94258db12f3957363cea1dba1ffead31c6ef7ea8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD583cc71690361cfd2fc058b31db703594
SHA1958c6a0d57a0c183c5b0af71d3d32ca3aa21f8fb
SHA25630c0e45410efdf20ff4a019dad9c46761c809a862c0b7fa3287373c4d18e57bd
SHA512811fabd6e10ece35521d224e7ce1af048d436f57d88b4131f6ff37360a0cd9c0069ee99f36a5a0bc4b40c7e8b391c1e158930f39a0385e0a0b79760aacbf6a92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51920bc491f6693a89db6b17bcc6e5105
SHA186f9692b6b66897dba1b3a4a737ad48d822eca37
SHA2566eb8bbc022f02ffe50a635d8d553af4b6c885e3b826a168b5489efbed05ab27b
SHA512bfe604deb5994e82a711843bcfa37a48a5c15551023930b5f5ccfac6bd2c8a6a6b2bd4534ce9f70257a3d62dbfd0b648cbb9d76ea422061263487dd351604d99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956Filesize
252B
MD5058aa1c202b6e92c3f8500b3945b9855
SHA1d67b601105489f8ac54444898f9143573b5dd9c1
SHA2564f66b910cccd1a3cfa82c38b8734f44c8d056b2a3a11ab2307d177bae2cf777c
SHA512c5111580124ba6e3cadc11193a754c3619f9eebb135a5286365b9e9dc001ab3cecb875fe002db3988d11f67dd356304d7dee803c779284a857c4655fb8f082d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD50dc53ce99d8712a5523b80b6d5c2dd37
SHA1bf2761b5408ae55b2813d0cf85d4cb4262f61204
SHA256d5de21e7fe3070f8d6beae62c5fe1f528c98489b5cb8ed6da19d5253ba02a185
SHA512f0b058e7e2f93fd73484bb4ae8183923107b24d81ff67dac4d153a42578b2ff49a1a742bd729caa66f0b5051a4641ffbb560694a431d91594d096dda513aa1c6
-
C:\Users\Admin\AppData\Local\Temp\TarA14.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Users\Admin\AppData\Roaming\confuse\chargeable.exeFilesize
115KB
MD563ae91ec09e26df6c4dc974485eee0be
SHA16eccc804fde1396d6e30163e88fa92b9ff82659e
SHA256ee70ad8ec5ddcc347055af38937be896a1dd34d45e2eb7fd5222e9c4aa1b01ed
SHA512e51eccf72c3100a5f795b8ecd569bbfe5b281b2d3b4a0112f5b4dbea31cfd531a6440660ff74c2df5e4abb4f5ebda6480f3b731d8d70bf987ef8252398027313
-
memory/2340-203-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2340-0-0x0000000074881000-0x0000000074882000-memory.dmpFilesize
4KB
-
memory/2340-2-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2340-1-0x0000000074880000-0x0000000074E2B000-memory.dmpFilesize
5.7MB
-
memory/2648-363-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2648-366-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2648-365-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB