Malware Analysis Report

2024-08-06 19:48

Sample ID 240618-g67c8averj
Target 6b06d00c6ef29be4902f7f6f89f014ce.exe
SHA256 41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709
Tags
njrat neuf evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709

Threat Level: Known bad

The file 6b06d00c6ef29be4902f7f6f89f014ce.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf evasion persistence trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 06:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 06:26

Reported

2024-06-18 06:28

Platform

win7-20231129-en

Max time kernel

147s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6b06d00c6ef29be4902f7f6f89f014ce.exe" C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1364 set thread context of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3044 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3044 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3044 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1364 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2876 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2876 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2876 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2876 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe

"C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
US 2.22.144.89:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp
US 207.84.97.52:10000 doddyfire.linkpc.net tcp

Files

memory/3044-0-0x0000000074F01000-0x0000000074F02000-memory.dmp

memory/3044-1-0x0000000074F00000-0x00000000754AB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarA91.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 9f0e6c506aebe29a6a82c80d6e35233f
SHA1 5882e91e3a627fc727207ca6218259b8f5300620
SHA256 1564fbfa286ff397c691e59f82e0700aa614ce6446b80524640412df5e63a5e6
SHA512 3acf3126229a395d25f85d92dc13ea0d98d104682385d877fba5301c07d89dd91c47b3feb35ba25be9a581c9923d9e2d94d9ca02fe276ac2289d1e22c921fc25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8019c74c12e30beebd55fe1e0403995
SHA1 53ccc8516f05596250aa122fd58ca76a7a4e7bd0
SHA256 4d8342edbf8ade79b683bdd50b30f3b22cd3cfb32d3dfc8a6d0a8e99bfc7b172
SHA512 3b4ba9f1f9bc80aaccf0f0950df4eab4c17ea173bbfc2ccf48228d39e83b8515664946d63a3a9cec61a35942fd2962c694eabfbd16fd80cfdaca1f7c5e0c34ad

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 18d09699c858e0ce8176936496592869
SHA1 2839a8784d78c8320b9d2b92d5665ef3ea2c3687
SHA256 026a2449b14d27ff10088945bc86c21d802cf54ec661e789dc682aed95967664
SHA512 55ee0eb11d6ce220526abca87294c99c8f9f336ed2ee425fa84addbc10c53fc5e520de82f0abf146d6efc91f6c5da48ed8c1d8323a9caf3aee607517a3036b62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec62aa26280fb571f6b486d8c98b6db6
SHA1 0df250a517271ec5ff85687bfb507b187a9f25c4
SHA256 f2e3577eb2130c91d872716e904c660c69fd558af8a277f2f79124a53e2becbd
SHA512 617c7a9adbb77692e148929a80b705ce8423e75a25c978d22d26531519d8b36998c80b18c6bcd621f1faf7785111a7cd61b177e36f6de8fbbecce7671d607630

memory/3044-202-0x0000000074F00000-0x00000000754AB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 fc1193c6345ac35188aa3de0f824ceb7
SHA1 8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256 bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512 480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 75e9b9aa91f7e5fd63ae54be194e2f18
SHA1 e3f10bdbb72abc123877364d75705ea3a0984948
SHA256 4a65a2b76ec8e0830d43e11d1e9ed46497a1af0494fba1569b301aee76ab2371
SHA512 5017b489046269569dd6cdd7c5e1d3057924a7559bd6706c74bb7484b7204498bf694e19bf31c15cbb9cc55bb90e5956caddda0948c1e4715079f1bd2c4dee42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 cba2426f2aafe31899569ace05e89796
SHA1 3bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256 a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512 395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 084a8bafe4a7870cf747eb4dee946182
SHA1 da861600a2dd0a50753fa5c0414c1a01ed7e4bfa
SHA256 9dd785c46530cfd7b238a576bab5e76be058925faa7819d198511029529dcf6e
SHA512 9cf0cd5659591d251de45163a38a8b2ed09fcac6dad6e16f753a971b0a44f529e0895f65204b060bcee48b2677301d98970b61ba2470647241485c8e3f1e0546

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0d1a4d8bf00155b85d25ce2b505cb1d
SHA1 ce49ea325f1971ad0be9865c9adee3244e3e7da1
SHA256 c94744ca165fc7d83ba7093662b95951884f95ed8ef15c7091731d6d21b99b4f
SHA512 d6ad9ca193f4f5348cb05bc23e7cacd55eb5ddc7f4616fe9390b7bdd5339b5b572761ad8acbd30292c8400b761c633dc4be9ecad9862b2f6c595986a634809e8

memory/2876-362-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2876-365-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2876-364-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 06:26

Reported

2024-06-18 06:28

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6b06d00c6ef29be4902f7f6f89f014ce.exe" C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2664 set thread context of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1784 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2664 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2984 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2984 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2984 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe

"C:\Users\Admin\AppData\Local\Temp\6b06d00c6ef29be4902f7f6f89f014ce.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp

Files

memory/1784-0-0x0000000075342000-0x0000000075343000-memory.dmp

memory/1784-1-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/1784-2-0x0000000075340000-0x00000000758F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 91940c7b6d1b1d56912bcb27b9d50228
SHA1 62ac92f6f0fc6b81d8fe986203a712cd0a38e58d
SHA256 93202bf52e484b1ce2bd25a5b4d501e5aa8002d7089ee970dd9c53734210f7e5
SHA512 99b9166fbeb0d44dd9117fbad34709e93a38de63f62bff9e10ca52d9cd01b5ec781b754cc59c662672cea900bd8cb18dc738a2a5dedd21a1699aedabaae10e91

memory/2664-19-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/2664-18-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/1784-17-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/2984-20-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/2984-24-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/2984-25-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/2664-26-0x0000000075340000-0x00000000758F1000-memory.dmp

memory/2984-27-0x0000000075340000-0x00000000758F1000-memory.dmp