Malware Analysis Report

2024-08-06 19:47

Sample ID 240619-bm78hsvglk
Target 41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe
SHA256 41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709
Tags
njrat neuf evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709

Threat Level: Known bad

The file 41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:16

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:16

Reported

2024-06-19 01:19

Platform

win7-20240220-en

Max time kernel

147s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe" C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2728 set thread context of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2604 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2604 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2604 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3068 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3068 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3068 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3068 wrote to memory of 292 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe

"C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
SE 2.21.97.42:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp

Files

memory/2604-0-0x0000000074A41000-0x0000000074A42000-memory.dmp

memory/2604-1-0x0000000074A40000-0x0000000074FEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab28E6.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar28F9.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2BFF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30b68a029aedd0f5df44fbf811e8ec13
SHA1 d3dad7dce53df18481362cb65f2daa0ff5454c60
SHA256 5ad85c70c648e412ce8569e18a04f202d9b0313be814b7b275843c4de250ca60
SHA512 5b683fd58e16d6ecda349a8246dcbddf03af4834754872a670acf0f4dad2f891187130fed934c048aafb54d94607ce85a3ac5fb97fa98ce35a99448515e7e0ee

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 7f8feb37a6dc19a9e71c20d409efae66
SHA1 3e1014d07a54e5abcd6a0a3a2a1d2a20a3de3f0d
SHA256 13705b036bcade67af4e71b4786963fa1b672befa985ca742ccb7e5eae22de33
SHA512 63b864eaacf3594712c4c5a002e761015b570db064e3f4ff37f835ec9790f17d56d0be78aba307c8f062e0333761291f4a73d9ce4ffce6ca6f96411d7e313353

memory/2604-196-0x0000000074A40000-0x0000000074FEB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5d77827662e94a32f20289127df532f
SHA1 d3b199e07538bbf16bbc2fe8b71c0202b5c3f1f5
SHA256 e03edea2aa9a49ef35361c210c6c907042d4a9b077d8c81fc54857744d3ce7b7
SHA512 de6cedd2cebb20cd1c6c9084017f30a9e7e14462e5e5aebbb85ca2c368672fc66d8541c17b1299e9a8e46a2afdefe0140887750b1bd18d39d4573f21c0cac382

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 cba2426f2aafe31899569ace05e89796
SHA1 3bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256 a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512 395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 2001de1d53fa2a62b66b484656127f65
SHA1 07fea935aacee1baf9b364cb43e71c39fc1169f0
SHA256 c54c90b97c1cce6a45c60dea8d38a6884358bf90893a9c25610a71dc41085d87
SHA512 1f7196bfa6099daa3efc1b235069937269a09adecd6d2c233c82c99448ff7b2bdc519dfb6fba583eb636131ea969e6d93abcd278b21e98d02b0f479600aceb5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 8887db3aa613b70a72efc4b2c5bf3d21
SHA1 217e27751e46e298c211aef97c04dbdde7fc5e3f
SHA256 e91e943622e50e6233663db4ca48a1198460d9a76e0b0feb8a00ed2c1f37a132
SHA512 bfd5c1ce086237a3dc8eba43a150edc4f83f78060d4eb5b043d095602727e3c998fd61d7f547bcda28db74a2fb5284ec8d69898c856d8fc928cdb9790e443e46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 fc1193c6345ac35188aa3de0f824ceb7
SHA1 8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256 bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512 480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b9a2de197eb490c2912fb42ab9cef90
SHA1 f3004feef733574cc3f4f77a5b05621943f0df8a
SHA256 b9b1fcd3b688e507fc5d6a0885eddbd9363d6b0a64eb1e3eb7aff08fe724f51f
SHA512 a2aeddaa13ae3a79fee624e1683d7b2b60ea0f683a9f9a5d89174da278e5b25273cd02a81bfc96e47178c177238a6888ddb77ad1450e5537a936df86a238efbd

memory/3068-365-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3068-368-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3068-367-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:16

Reported

2024-06-19 01:19

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe" C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 688 set thread context of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2292 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2292 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 688 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 688 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 688 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 688 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 688 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 688 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 688 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 688 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4404 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 4404 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 4404 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe

"C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 160.177.58.73:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 73.58.177.160.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2292-0-0x0000000075332000-0x0000000075333000-memory.dmp

memory/2292-1-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/2292-2-0x0000000075330000-0x00000000758E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 46a9c5296492a84c0135ba8ecd34fd8f
SHA1 1f8df6a50e2d459855a25cb0d047057e58bae139
SHA256 1475636552dade6b39d68277bde7a539fbb6cc493115ee7c558ceea569657e8c
SHA512 b77347367c7358c6a3538fb7ac3dd79fb9c71089d9de482cf82583905883d5b8fb53e1fe392d0d6d24c14323cd826a76c5839cf7252574963c385b7889017395

memory/688-18-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/2292-17-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/688-19-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/4404-20-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/4404-24-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/688-25-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/4404-27-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/4404-26-0x0000000075330000-0x00000000758E1000-memory.dmp

memory/4404-28-0x0000000075330000-0x00000000758E1000-memory.dmp