Malware Analysis Report

2024-08-06 19:48

Sample ID 240619-s8lebashlh
Target 41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe
SHA256 41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709
Tags
njrat neuf evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709

Threat Level: Known bad

The file 41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 15:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 15:47

Reported

2024-06-19 15:50

Platform

win7-20240419-en

Max time kernel

147s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe" C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1180 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1180 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1180 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2244 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2100 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2100 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2100 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2100 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe

"C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
BE 2.17.107.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.21.189.233:80 www.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 41.249.109.189:10000 doddyfire.linkpc.net tcp

Files

memory/1180-0-0x0000000074A81000-0x0000000074A82000-memory.dmp

memory/1180-1-0x0000000074A80000-0x000000007502B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab84C.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar85F.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAD9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1509256bd3c864caca1e86c08ba06301
SHA1 935b5c3c81f0c7bacb19709eb8027fbaaa203570
SHA256 c846304a5ea8d9c3be39aa4de4cc2652def5f122e32a0ac1f16863749fe401e1
SHA512 6b5181b10a27297bb811a6763190db0bae654f899607e0995223acbc1c687607a390cc8f0f4387d71256f76dd1cefb75b7a5d538ce4e3db60e07ae0708d44dfb

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 42cc915fdbe1a59ef674c1d37e258ec4
SHA1 581f250b36f1266269d46257abafc314b506a008
SHA256 6e84d6e2978b5e5642cc4f961558c27c8b7a39f7c4cafe2c0b0c52d490305326
SHA512 74c4fb00bc6bc55abf76bda457209eac1289df7ea29fb56153a5ed84d229b787bc33f84722cfc759209bbbdb7af5f187042ea7c3268bb4a9d76aa7e2e0f49eaf

memory/1180-196-0x0000000074A80000-0x000000007502B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aad716868321729a02360bb2d853a27d
SHA1 39c0929291050257fb0cf425d75a841e61638b08
SHA256 45516fb240dbcb0f7e636c4f5b615f9bce3ed45b5656fa7da135a11c0b046052
SHA512 6f174c9bea758248392fed57ea8212697ee13316df696e2d4400e8c70ea4bffb58de090ea2a360136416fcc0637c75c551021a7b1941d1df2fbd4264971be557

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 fc1193c6345ac35188aa3de0f824ceb7
SHA1 8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256 bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512 480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 ad56b9b6d20f2e14bfdb6a17ff90e91d
SHA1 abec157d9d31562dfbc0a1ba9cb4d1a3f72cf528
SHA256 68e224398d4498da8cb2f57170997323548b43dff663239894530da024562292
SHA512 de212f1ff7e29b3a5af6b71ceb2b778624c55e6e0ce350dfd3cb32c71e36f82dd166ceb9e1eebdf7a9a0e1847bb76be140e434376b7a74c2dc6f8f975d8f9c53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 cba2426f2aafe31899569ace05e89796
SHA1 3bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256 a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512 395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 596439a423799fd699ec635bad860974
SHA1 c9a736bc0afbb28b41c43fdc305c5efc3b1d7a4c
SHA256 2ea534e2172d080a3ce103a6caa00cbdfc8fccccc4817a19dd0f839934d36e85
SHA512 5636fb10e3ffbc4ea015ccc9d5731e6a292aee539c6de1c9cb5101d0644ff82a9e6f714cc41562ee1dd6aa5ce86b2f63f9e0790d8d3d01e5a0610c4c6393cc8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 027c930228a6de4dda08e576c0987de8
SHA1 0b6f8b84e159091399afcbef811a19c171aed9be
SHA256 1f90f1c58900c9af07dd2e5d3af94a9558d62ca96dfdaabf647f3d5db78ca45b
SHA512 9537ada4ced0145d548c3a2d9c66f338e51210acf42cb65bad5c24aaf0d6ecac468d1e4c4592ee761bf9feab3ddfd66bded1279851ad6269dceccc944ffca24b

memory/2100-365-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2100-368-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2100-367-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 15:47

Reported

2024-06-19 15:50

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe" C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2996 set thread context of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4476 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4476 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2996 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2996 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2996 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2996 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2996 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2996 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2996 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2996 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1820 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1820 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1820 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe

"C:\Users\Admin\AppData\Local\Temp\41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 41.249.109.189:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 189.109.249.41.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4476-0-0x0000000074752000-0x0000000074753000-memory.dmp

memory/4476-1-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/4476-2-0x0000000074750000-0x0000000074D01000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 b9a29d82b901bd58e92078f4144452ac
SHA1 e0a43f19197aec307f69190a8fd58689dc13efdb
SHA256 fc326b69628b9ecb83b1c0f4a76b949a3a034b401d1dd2bde5eccd0eb5943101
SHA512 38669aa5d0bffef6e64c6bfebe4d6a46618e13cb59d0448c58f4df0ed9c54d87ada9c103b51dbedb74ca44633a2e64c004899866b8bb6067cc1859cfa745c112

memory/2996-18-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/4476-17-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/2996-19-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/1820-20-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1820-25-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/2996-24-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/1820-23-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/1820-26-0x0000000074750000-0x0000000074D01000-memory.dmp