Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe"	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2900 set thread context of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2916 wrote to memory of 2900	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2916 wrote to memory of 2900	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2916 wrote to memory of 2900	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2916 wrote to memory of 2900	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2900 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2552 wrote to memory of 2228	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 2552 wrote to memory of 2228	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 2552 wrote to memory of 2228	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 2552 wrote to memory of 2228	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe

"C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	crl.microsoft.com	udp
NL	2.18.121.28:80	crl.microsoft.com	tcp
US	8.8.8.8:53	www.microsoft.com	udp
US	23.200.189.225:80	www.microsoft.com	tcp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp

Files

memory/2916-0-0x0000000074571000-0x0000000074572000-memory.dmp

memory/2916-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

memory/2916-2-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFEFA.tmp

MD5	ac05d27423a85adc1622c714f2cb6184
SHA1	b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256	c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512	6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarFF0C.tmp

MD5	9c0c641c06238516f27941aa1166d427
SHA1	64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256	4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512	936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5	49aebf8cbd62d92ac215b2923fb1b9f5
SHA1	1723be06719828dda65ad804298d0431f6aff976
SHA256	b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512	bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar28F.tmp

MD5	4ea6026cf93ec6338144661bf1202cd1
SHA1	a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256	8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512	6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	d944cf2a8c09d401e5c3987e775ccb06
SHA1	f60b04cbc853a55f19017f472d0099da3926a6d4
SHA256	e892fd29996c21283a2a26d3c8b519eea7547069b7a08b9f3ad88c35422c8cfb
SHA512	089e9c1bd45c864f06645b1e91d01a8616e46cc4bf5d826e4662f203a6e208333fb2fb887c7a65ca3f4dd2f15a857a6f29732463f5330655c5e272f556df8b8e

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5	a25e6d39adfbed447b35d53b0f14569c
SHA1	ba927679f46c9ccee59df17f7e81cff7b87ebb0a
SHA256	1ae2614bac60c9844b7aaa8f298b7bbcff1f2fb9aa9b9dadd00d3b76c16032dd
SHA512	4523289eb7007336af6e8ffd47001b4ad75ef784b6d2ad50dc0609e9a8fbc406b0090444a6f3dfaa10496c1b889c16aaab651d2c5300d105f842c445f2aa160c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	f136ef168d7e12e13ad776fa3ae6f163
SHA1	0530f80f202d6fe3c5c351649454b6b933b79c5c
SHA256	6bcf9230501c61a2f485ab1b086215a3d85cd13519d80837e9268727d8fd6f6a
SHA512	ed70a26c0863270f017ca308cffd6eeea66d73a794946862c86c9f46ca064dcf921b3f5b0b5b47825218dd98c84877c07ec992edbead033128c42c0dc674b582

memory/2916-207-0x0000000074570000-0x0000000074B1B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5	fc1193c6345ac35188aa3de0f824ceb7
SHA1	8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256	bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512	480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5	2df7f08930a9c19bc8e434c36d0bdf3a
SHA1	f01a6c84b08c034c7178108dd5f77d52192ba775
SHA256	b688d0e479e9e62d9eae797327fdc7d7315f25a6658cf6f6fbb08938e42816fa
SHA512	20eb05265b3bd9273747751a72dbaa8082c1ac46edcfaa925566a390adb3ff87ab946624bb5c8b8ed8d721302239e8233458c198d5ffc2d17bbe3600000ced0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5	cba2426f2aafe31899569ace05e89796
SHA1	3bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256	a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512	395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5	4878a261d0526760c605c00b8969bc4a
SHA1	fa32189d47c380eb964a62707eace0d82be84b5c
SHA256	17334dc19f676ca9d2019cb6e4509955014177c25696319ebd384f05a12a0924
SHA512	3287e88a00cd6db50c6d578be35477d89f7b4ba30d0ad289b17831df82fb6846305e1083b0dd30a0fa0d764187fc97c81b6638b2fd081b99e5e5e67dfa33968f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	ec4e33ccc99c50fd6321a213d72b6afb
SHA1	b02b853e1fd7e1241813193b3f91077675d257be
SHA256	0b6a4d65206682e500cf7baabdd7ea2750b806c92febd112a1ef9a2affd6cbc2
SHA512	61a830b24a6fbef54e090487e4dff0e92c0455daf969488380f52a18213d16bd2527a44eeffbc5bffb604638d03617d9254b516afe2f41342910fecc6c6c91d9

memory/2552-366-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2552-369-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2552-368-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 19:55

Reported

2024-06-15 19:57

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\netsh.exe	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe"	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 3300 set thread context of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2656 wrote to memory of 3300	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2656 wrote to memory of 3300	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2656 wrote to memory of 3300	N/A	C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3300 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3300 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3300 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3300 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3300 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3300 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3300 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3300 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4024 wrote to memory of 4784	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 4024 wrote to memory of 4784	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe
PID 4024 wrote to memory of 4784	N/A	C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe	C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe

"C:\Users\Admin\AppData\Local\Temp\28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	14.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	73.144.22.2.in-addr.arpa	udp
US	8.8.8.8:53	doddyfire.linkpc.net	udp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
US	8.8.8.8:53	86.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
CN	221.229.41.41:10000	doddyfire.linkpc.net	tcp
US	8.8.8.8:53		udp

Files

memory/2656-0-0x0000000075222000-0x0000000075223000-memory.dmp

memory/2656-1-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/2656-2-0x0000000075220000-0x00000000757D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5	9f90562587651b345d3134f8680627bc
SHA1	9d21263c3d737a891898cdbe8d4e7dc537cd2e72
SHA256	7c7aecbb9b8409039dce9f9b55a36d8df87fb0155b3108f4c1d6891cbcc230b6
SHA512	d4b8825bfa6239c2e1a3c969acf9378cdb90a4c0ea61a1a784e5fc734e52e668d6353e4fea4b8fe032149970756c9483ee41f89298a56037cd2a8109fd36be15

memory/2656-17-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/3300-18-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/3300-19-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/3300-20-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/4024-21-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5	0a9b4592cd49c3c21f6767c2dabda92f
SHA1	f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256	c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512	6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/4024-26-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/3300-25-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/4024-27-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/4024-28-0x0000000075220000-0x00000000757D1000-memory.dmp

memory/4024-29-0x0000000075220000-0x00000000757D1000-memory.dmp

Sample ID	240615-ym477asgmb
Target	28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509
SHA256	28ebace92b95a8acca13c80033ca9a623bf2707180c416e2dacdaffc77c74509
Tags	njrat neuf evasion persistence trojan

Malware Analysis Report

2024-08-06 19:46

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files