Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 22:16
Static task
static1
Behavioral task
behavioral1
Sample
7D9BDFD79D19C3747B6C8A901A87A6CB.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
7D9BDFD79D19C3747B6C8A901A87A6CB.exe
Resource
win10v2004-20240802-en
General
-
Target
7D9BDFD79D19C3747B6C8A901A87A6CB.exe
-
Size
118KB
-
MD5
7d9bdfd79d19c3747b6c8a901a87a6cb
-
SHA1
bc1172b55a0444a917ee38da653258366d21b6a0
-
SHA256
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b
-
SHA512
e8c14a6643776b9111f90e2a73f182970327cc562d1602dd78724be0b037136766b775161fd09bacc6692040d2e1da1fe3d286a01f078dff5f8c1c9f4a73a4c9
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOA:P5eznsjsguGDFqGZ2rDL14FOA
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1808 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 316 chargeable.exe 2968 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
7D9BDFD79D19C3747B6C8A901A87A6CB.exepid process 1708 7D9BDFD79D19C3747B6C8A901A87A6CB.exe 1708 7D9BDFD79D19C3747B6C8A901A87A6CB.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7D9BDFD79D19C3747B6C8A901A87A6CB.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 7D9BDFD79D19C3747B6C8A901A87A6CB.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7D9BDFD79D19C3747B6C8A901A87A6CB.exe" 7D9BDFD79D19C3747B6C8A901A87A6CB.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 316 set thread context of 2968 316 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7D9BDFD79D19C3747B6C8A901A87A6CB.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7D9BDFD79D19C3747B6C8A901A87A6CB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe Token: 33 2968 chargeable.exe Token: SeIncBasePriorityPrivilege 2968 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
7D9BDFD79D19C3747B6C8A901A87A6CB.exechargeable.exechargeable.exedescription pid process target process PID 1708 wrote to memory of 316 1708 7D9BDFD79D19C3747B6C8A901A87A6CB.exe chargeable.exe PID 1708 wrote to memory of 316 1708 7D9BDFD79D19C3747B6C8A901A87A6CB.exe chargeable.exe PID 1708 wrote to memory of 316 1708 7D9BDFD79D19C3747B6C8A901A87A6CB.exe chargeable.exe PID 1708 wrote to memory of 316 1708 7D9BDFD79D19C3747B6C8A901A87A6CB.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 316 wrote to memory of 2968 316 chargeable.exe chargeable.exe PID 2968 wrote to memory of 1808 2968 chargeable.exe netsh.exe PID 2968 wrote to memory of 1808 2968 chargeable.exe netsh.exe PID 2968 wrote to memory of 1808 2968 chargeable.exe netsh.exe PID 2968 wrote to memory of 1808 2968 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7D9BDFD79D19C3747B6C8A901A87A6CB.exe"C:\Users\Admin\AppData\Local\Temp\7D9BDFD79D19C3747B6C8A901A87A6CB.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1808
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD52f696323add467d2c10718b95ae4e531
SHA169b8216b575d10f1380cf0adc3e5fbe6994242c7
SHA256db31fe1c7c715c982d79976a37fe2756d430bea13ef19d3796d7ecddc00f0a37
SHA51200afca0cfb7de10268709a5697ccda8ef01197d6964e8cff2749cb5f05b1b930cb9f5f9c157ba6a1694dc12a38e1e5bf988df6ab5a2fddf0910d5b9ae02e9bbc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57fd0d70371556dd887f23f70763ac411
SHA1c4d904290552aa788e779cf4fd7eea40afab7055
SHA256a24c9c89405e195f73caf144b42e75c5f68f75c46cb7b79965e88f1a4f1fe9a7
SHA5122ec0c8cfd52c6013a1067ac4c66df5e68cf6aefd62c9c9ae3ac9442d10e22bad3531f694ed220986f7e819989049460b93d5604c00f42a3817fc24155b031f3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50501e710c4404e7d1a3d42405487f7cb
SHA16e89a88f42452d698fce6241c216ad0fa3f035c5
SHA25604cd50f1d14e0c3fd6b2b8d23bdc8b20339bea8075e50e2f9d328ab4f022acfb
SHA5120c798dbdb1c21e6a2533d50596e559487f17f0c55e89a486ad77bed3cefa287e8ff9f656c8177c6280d81f8fc3bd97e529ebc1575aaaf0d5cf14deea240716d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5716946366a3bf4880a28b3ca7c595dde
SHA142773be08256dad49bfa5e42cc8388b8b932122f
SHA256e1096b270d1e351fcb575285c920a0849ed561da609f072456f5afb2c8297308
SHA51289fd8b7af84cbe034a11e802c643ebc95dbd383f1082ea74a9544bdc55ce6b1c1a9be38bf9f525ac784f44989203ba59d26a22553b8b9d622d6757a2cb8a84b3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
118KB
MD5f14400359eb5854e15480c558222a488
SHA15289f96bc3a6020904b434e1f6688a1190c75c32
SHA256348c63507fd3bf1b8472d413973e3f63132ad6aa322516025967c16665d7bae9
SHA5126b2ac85135364627039f556b16e58981f5ff29ad73a77148720adfd3a056c455510b9a760ec209c00a1874987edd0c698c3162e35fb93e494859206500a52acc