Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 22:16

General

  • Target

    7D9BDFD79D19C3747B6C8A901A87A6CB.exe

  • Size

    118KB

  • MD5

    7d9bdfd79d19c3747b6c8a901a87a6cb

  • SHA1

    bc1172b55a0444a917ee38da653258366d21b6a0

  • SHA256

    3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b

  • SHA512

    e8c14a6643776b9111f90e2a73f182970327cc562d1602dd78724be0b037136766b775161fd09bacc6692040d2e1da1fe3d286a01f078dff5f8c1c9f4a73a4c9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOA:P5eznsjsguGDFqGZ2rDL14FOA

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7D9BDFD79D19C3747B6C8A901A87A6CB.exe
    "C:\Users\Admin\AppData\Local\Temp\7D9BDFD79D19C3747B6C8A901A87A6CB.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:1808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    2f696323add467d2c10718b95ae4e531

    SHA1

    69b8216b575d10f1380cf0adc3e5fbe6994242c7

    SHA256

    db31fe1c7c715c982d79976a37fe2756d430bea13ef19d3796d7ecddc00f0a37

    SHA512

    00afca0cfb7de10268709a5697ccda8ef01197d6964e8cff2749cb5f05b1b930cb9f5f9c157ba6a1694dc12a38e1e5bf988df6ab5a2fddf0910d5b9ae02e9bbc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7fd0d70371556dd887f23f70763ac411

    SHA1

    c4d904290552aa788e779cf4fd7eea40afab7055

    SHA256

    a24c9c89405e195f73caf144b42e75c5f68f75c46cb7b79965e88f1a4f1fe9a7

    SHA512

    2ec0c8cfd52c6013a1067ac4c66df5e68cf6aefd62c9c9ae3ac9442d10e22bad3531f694ed220986f7e819989049460b93d5604c00f42a3817fc24155b031f3e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0501e710c4404e7d1a3d42405487f7cb

    SHA1

    6e89a88f42452d698fce6241c216ad0fa3f035c5

    SHA256

    04cd50f1d14e0c3fd6b2b8d23bdc8b20339bea8075e50e2f9d328ab4f022acfb

    SHA512

    0c798dbdb1c21e6a2533d50596e559487f17f0c55e89a486ad77bed3cefa287e8ff9f656c8177c6280d81f8fc3bd97e529ebc1575aaaf0d5cf14deea240716d5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    716946366a3bf4880a28b3ca7c595dde

    SHA1

    42773be08256dad49bfa5e42cc8388b8b932122f

    SHA256

    e1096b270d1e351fcb575285c920a0849ed561da609f072456f5afb2c8297308

    SHA512

    89fd8b7af84cbe034a11e802c643ebc95dbd383f1082ea74a9544bdc55ce6b1c1a9be38bf9f525ac784f44989203ba59d26a22553b8b9d622d6757a2cb8a84b3

  • C:\Users\Admin\AppData\Local\Temp\Cab9494.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar94B6.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    118KB

    MD5

    f14400359eb5854e15480c558222a488

    SHA1

    5289f96bc3a6020904b434e1f6688a1190c75c32

    SHA256

    348c63507fd3bf1b8472d413973e3f63132ad6aa322516025967c16665d7bae9

    SHA512

    6b2ac85135364627039f556b16e58981f5ff29ad73a77148720adfd3a056c455510b9a760ec209c00a1874987edd0c698c3162e35fb93e494859206500a52acc

  • memory/1708-176-0x0000000074320000-0x00000000748CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1708-0-0x0000000074321000-0x0000000074322000-memory.dmp

    Filesize

    4KB

  • memory/1708-9-0x0000000074320000-0x00000000748CB000-memory.dmp

    Filesize

    5.7MB

  • memory/1708-2-0x0000000074320000-0x00000000748CB000-memory.dmp

    Filesize

    5.7MB

  • memory/2968-342-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2968-344-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2968-345-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB