Malware Analysis Report

2024-10-19 08:03

Sample ID 240806-cnvt9azgpd
Target 0a6db9793f1f6d7221219891c5dc3a10.bin
SHA256 cfca7dd90f42a2c647d366e15ee7c0eac06bd6c115145cd2948b63c50630fe3c
Tags
njrat neuf discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfca7dd90f42a2c647d366e15ee7c0eac06bd6c115145cd2948b63c50630fe3c

Threat Level: Known bad

The file 0a6db9793f1f6d7221219891c5dc3a10.bin was found to be: Known bad.

Malicious Activity Summary

njrat neuf discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 02:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 02:13

Reported

2024-08-06 02:16

Platform

win7-20240708-en

Max time kernel

146s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a6db9793f1f6d7221219891c5dc3a10.exe" C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1284 set thread context of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2392 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2392 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2392 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2876 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2876 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2876 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2876 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe

"C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 92.123.143.234:80 crl.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp

Files

memory/2392-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

memory/2392-1-0x00000000742D0000-0x000000007487B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB740.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB762.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 302a682e0bd822ac90171db2504056c7
SHA1 83d2dd78dd2e1b2608852aff37d9287aa4ecd125
SHA256 45ea34a4ee23a779016e94721fcd5996e05a405351f2848b8b924d0dfef0ce5c
SHA512 d2c81dcbbfca02b9cab286d5d5ba7ffd11bbd29f441ad2b5cb7e62b3ce2d21f727da3274a1c02fe2d6d6761d32a8c57d8549f2e587bfcfc7b0ff302abe69c671

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 6785dc8bc52796d0e21c65b269777ac3
SHA1 c6533cb4e975a34dbcd5559f0ba5d88a9028f5cf
SHA256 d2500aa691213d77e0edbc41d4c9cef53120cf6a52788058563abd826b15aebf
SHA512 636aae1e299f60500f4284d120b2f45bd6c71defaadc5f1db8ace32296c8f0119c5ac286a61561d90754b258b575c2e5a9fe71a9e6f66e903a494ceb5f52ff8f

memory/2392-175-0x00000000742D0000-0x000000007487B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec116bba9f1725d9b39fb9227e7c6382
SHA1 81f4f5b97a4eb9b1a9ff925f21439cb8a1a94420
SHA256 0646ecaa59820a1b226018c9b36e3a56a01566191a063d6d479ff11a5ac82a6c
SHA512 5d5a064145b11abe94aff9a7b2e3f98c2fd9f24c7974d6eb1dd1fff2d941d87cc6080e86629762cc03722edc07cc7d8892f615925f7cf02da938c5d9c18039c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 e7122c733f9e37bba0ca4c985ce11d6d
SHA1 d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256 acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA512 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 547adc1efed39d1e0d60d9b71ce8e3b9
SHA1 9c29d492e2ffa284c4d353081b42d19369b077e7
SHA256 fee6d4ea67672d0068cb4bfbb6e92d133f769cb8a8c09035a2d6b3e2c4132bf0
SHA512 e1d1445b99a71a57792ebf3e5aa61618c2d7d6f12a0cfac4378cd51e8cac75e16a3cc43b8384508b1548d9f25b40675f04a64e992c7cf5c56e1c03d49e61c987

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 362c78463086a45ac92c6fa5cb4ed59d
SHA1 ea49d23c0cbd3b387971ffd829e80ca73bb55493
SHA256 257b11c2ae7ab1958ee587dfe96a6aeaa465efc3010d4d8f9b8c06d8f495d9da
SHA512 fa7c7e25be1ccb8013c18dcffedf102056bd880500e1e8de6d954ac8d64c449edd123ce5434f6a28eec5dfb442ada0b12f0751b64938e4c22c691bbcc13b4f12

memory/2876-341-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2876-344-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2876-343-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 02:13

Reported

2024-08-06 02:16

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0a6db9793f1f6d7221219891c5dc3a10.exe" C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2364 set thread context of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2876 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2876 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2364 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2364 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2364 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2364 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2364 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2364 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2364 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2364 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3528 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3528 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3528 wrote to memory of 336 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe

"C:\Users\Admin\AppData\Local\Temp\0a6db9793f1f6d7221219891c5dc3a10.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp
DE 188.46.206.74:10000 doddyfire.linkpc.net tcp

Files

memory/2876-0-0x0000000075392000-0x0000000075393000-memory.dmp

memory/2876-1-0x0000000075390000-0x0000000075941000-memory.dmp

memory/2876-2-0x0000000075390000-0x0000000075941000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 60ccfe1f35c69810cf10ff4c56b7553b
SHA1 3b78488761b6cdb3d11a6cec2001f41d71ad8d90
SHA256 24624d05e07b2c347a33a6a2b75f8cb10961aceb3ad16a3fc0bfa43a41c84027
SHA512 6dd4218223dfed96fbe24cc9add0e31d07dcf42ca038bc37f480da239f0901ca93d957064090da42fae38083fe0b49c8f62cc182ac741b7c809b0b22f3e1c94b

memory/2364-18-0x0000000075390000-0x0000000075941000-memory.dmp

memory/2876-17-0x0000000075390000-0x0000000075941000-memory.dmp

memory/2364-19-0x0000000075390000-0x0000000075941000-memory.dmp

memory/3528-20-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2364-24-0x0000000075390000-0x0000000075941000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 af005173cce1850423f0f999693487cb
SHA1 950bf700178ab02d75b959cf92f1d493acba31ef
SHA256 38615066450a66b2950aa946bf8eea01f16e1f0dfc7c0748609e195c317c2a7a
SHA512 feb37c884eba52c5e74a3a9b1c604d42e6b25b98a1389ba9677361f756897d169824b9d7c214e150f6a1f07e7e63440baa07e6119aa08b919db0533a9fdb22bc

memory/3528-25-0x0000000075390000-0x0000000075941000-memory.dmp

memory/3528-26-0x0000000075390000-0x0000000075941000-memory.dmp

memory/3528-27-0x0000000075390000-0x0000000075941000-memory.dmp

memory/3528-28-0x0000000075390000-0x0000000075941000-memory.dmp