Malware Analysis Report

2024-08-06 19:44

Sample ID 240619-xptzka1hrn
Target 1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4
SHA256 1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4
Tags
njrat neuf evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4

Threat Level: Known bad

The file 1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4 was found to be: Known bad.

Malicious Activity Summary

njrat neuf evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 19:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 19:02

Reported

2024-06-19 19:04

Platform

win7-20240220-en

Max time kernel

147s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe" C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2128 set thread context of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1976 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1976 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1976 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2128 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2548 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2548 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2548 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2548 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe

"C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
BE 2.17.107.81:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
SE 23.34.233.128:80 www.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 41.249.109.189:10000 doddyfire.linkpc.net tcp

Files

memory/1976-0-0x0000000074151000-0x0000000074152000-memory.dmp

memory/1976-1-0x0000000074150000-0x00000000746FB000-memory.dmp

memory/1976-2-0x0000000074150000-0x00000000746FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1D7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1F9.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar53E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab45ad4167bf4547e14aaf333dfdcdb0
SHA1 c7b902e557d41334082e0e873fe084b769e3349d
SHA256 dcf678effbc4b1bc5e750c32233aef303884fd3ecbf819145f25837bfb298529
SHA512 33da96beced2c149a91eb511d9552acaa3f59a40941723ba13735cad30c5c17c93d7dd9062ea2b63181244963251b742ee88f58d9d733c4fec444d3157d8c48e

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 9571fada99f9c8e821fc9b97b40b0142
SHA1 88193a38e0f16921c5fa6c0dd534f6cd189352d8
SHA256 9cb254697e3b775af3ba79cd863797f04667b3474f40b8f57fe70fd08b46eaf3
SHA512 7a40cbb5d8979050a237ee52c56531503ce3c9f06759a652f6949bc16fd19dbd0d2031e59d8e01b2778c37f73df16c72c9112f1b0bf8d765b3248916d898892b

memory/1976-197-0x0000000074150000-0x00000000746FB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b18cc8ed8bfe363eefccca802ae463f5
SHA1 386036da3a5182a698c9af4146e19b851dddc603
SHA256 d04968a37e640655213fdc2842e52369955960879e6be1faf23edb3f8a467e59
SHA512 e10d40b607d0b086acd0495396bed4d08ab8ac887ec7b109e72b59f1bb2a7c2e7b263563072b4b030fb2c35cb1a32b0675c20cc08e76ca30f9244fdc4fa75bf1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 fc1193c6345ac35188aa3de0f824ceb7
SHA1 8fb5606f5380ac6ace7bb4e7c71b6750362e8c5f
SHA256 bdfb8faff4c0c0a15c642890a5544bd32f930f55ca199470dbd4736a32d6e200
SHA512 480a3ad52cf215db3cede6ad93293f8f031c2cb7a190c6f4cbcd0f3eb06f5c81c7f13d304a495945192e759ab5403245acef7be0149b8615ce2b194927f3dec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 cd70cb42c4447485a7b44f2fdbe3f07c
SHA1 9577868121c119894ef8b3afdcd0acbd5d1e568e
SHA256 1600773658aee74591d578f2dc27f69cf46a805b819d19cd1b19c45f5c293609
SHA512 33a2d7c53e0bfe3f7555185b1d6cbbc7b14903fb63e3d52698ce0ef5340d646dbddfa9b169fb0b4c9b84e4819dd215399f09a1bacca344a1174954a0d57f96df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 cba2426f2aafe31899569ace05e89796
SHA1 3bfb16faefd762b18f033cb2de6ceb77db9d2390
SHA256 a465febe8a024e3cdb548a3731b2ea60c7b2919e941a24b9a42890b2b039b85a
SHA512 395cce81a7966f02c49129586815b833c8acfe6efbb8795e56548f32819270c654074622b7fa880121ce7fbd29725af6f69f89b8c7e02c64d1bbffbfe0620c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 eeb1e7be247ffe4f19ca5f60761dc134
SHA1 a7b04355236a5b6ecbb971e04ddca0541bb524ab
SHA256 d986536acb19d499a3a3b0b678af4c57c38e5bb0d6cd26a8e175dc0e75ab1389
SHA512 2c95d741faa03af0d7f6abfbbceaa18bd615d01a82720dfe8fc46a06a1d3f3d0ea4127de1cbd672640fc5be9c97fa64450479a49e9cdffb3cbfc2f407e964ca2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd27df347ddfe5b9b8b3d40e66cc9862
SHA1 964decb180cc070d7ce976b00dd7d941e5995593
SHA256 a2849808563915bc5ef8520a0670226360604139f27a01b67738c47b7b44423a
SHA512 2e5ffa29ab6a3dca0ca232bd1ed4815c9de2a7d9554ec56670d29ce14f289fe6fcd850c75894c5ac30393d19a9167aa15c4fa84d16059ee31b9b8f73d527b3f5

memory/2548-368-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2548-369-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2548-366-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:02

Reported

2024-06-19 19:04

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe" C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3008 set thread context of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2436 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2092 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2092 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2092 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe

"C:\Users\Admin\AppData\Local\Temp\1539fb2e349c9689fb60b8fa051afd514fd502125732c6f1db2f3ee547aa84c4.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 doddyfire.linkpc.net udp

Files

memory/2436-0-0x0000000074992000-0x0000000074993000-memory.dmp

memory/2436-1-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/2436-2-0x0000000074990000-0x0000000074F41000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 0902f11a9e3d3ca98e1edb018193ac07
SHA1 0cdf8acd6ea7b48c5cd6aaee148024b12dbdfa04
SHA256 10d703623d5c73321737bd1b5f074cf6c5d6b867851594f181a7c424edc0c7b8
SHA512 13846e37918c2860c01406ee1bc5fd8f5aa3bebdaa4c850733f10218e4863af390219dbccff9227e447014c1d23e4d8878f9b0c73a822966b2569e98e27bb246

memory/2436-18-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/3008-17-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/3008-19-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/2092-20-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/2092-24-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/3008-25-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/2092-26-0x0000000074990000-0x0000000074F41000-memory.dmp

memory/2092-27-0x0000000074990000-0x0000000074F41000-memory.dmp