Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07-08-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe
Resource
win10v2004-20240802-en
General
-
Target
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe
-
Size
118KB
-
MD5
7d9bdfd79d19c3747b6c8a901a87a6cb
-
SHA1
bc1172b55a0444a917ee38da653258366d21b6a0
-
SHA256
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b
-
SHA512
e8c14a6643776b9111f90e2a73f182970327cc562d1602dd78724be0b037136766b775161fd09bacc6692040d2e1da1fe3d286a01f078dff5f8c1c9f4a73a4c9
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOA:P5eznsjsguGDFqGZ2rDL14FOA
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2728 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2808 chargeable.exe 2580 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exepid process 648 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe 648 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe" 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2808 set thread context of 2580 2808 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
chargeable.exenetsh.exe3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exechargeable.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe Token: 33 2580 chargeable.exe Token: SeIncBasePriorityPrivilege 2580 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exechargeable.exechargeable.exedescription pid process target process PID 648 wrote to memory of 2808 648 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe chargeable.exe PID 648 wrote to memory of 2808 648 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe chargeable.exe PID 648 wrote to memory of 2808 648 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe chargeable.exe PID 648 wrote to memory of 2808 648 3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2808 wrote to memory of 2580 2808 chargeable.exe chargeable.exe PID 2580 wrote to memory of 2728 2580 chargeable.exe netsh.exe PID 2580 wrote to memory of 2728 2580 chargeable.exe netsh.exe PID 2580 wrote to memory of 2728 2580 chargeable.exe netsh.exe PID 2580 wrote to memory of 2728 2580 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe"C:\Users\Admin\AppData\Local\Temp\3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD520fa3d1bacbc15929b131b4a2bd38cba
SHA116f0a13314a79920af88c19cb29bf8a14681858f
SHA256983cb436fea342742b788cb7791ab95ace9b4c1dc5a3eebb7184040ce2794c19
SHA512a5dc6394ba60a7776b649432f1d3ea632a7aa94977fed7d3f19e7e159efe6f66708b0fe29470375b328e6d4b9e3127bde760d4d44ba4e24bad3e2739051c6a02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a16a2e79222e34830266ffc4e1a159dc
SHA10c56ad939b67447f52e456a705c87650a4f2eb6f
SHA25670ebae878b2bb4647c21afc0c6c40820347b5c1f3be8528303f97c7ebe59a1d6
SHA512ec24fab0588194f9e8579171da6703d55c0f0c7f37f6b172b9255e749f167a694f0349e019e5787d4d33baaaf887d2559e69d20e0463be5650dfcb7bffa068d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cbed6c5c90f218162dfd4a14022fa57a
SHA154b9009269ed444edadd7b58d6dc05f9891453fd
SHA2560cdd6f88d460c01e2db8a98da02a557f0a42f65901414425de05179095841200
SHA5122b16cd3001ecfaaafddc625cdb0248024bc434b7f3bc8b67419b8457c6f12516ca8fa4cb51bafb2f96fea90f96f9ee2c943ccf9d79f0e17ec90b595942d51476
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597a3896a619ba6a4b916ab67dd6317d6
SHA12c94a5534f07dd5835b743244064387abf82e384
SHA25600dd59249fbe895fcbe4fe68048440351912a864390359f2165389ef4bf78c83
SHA5123fd7e11a97ec0a6f7b46f1d7d09b516115570773e571b5e18678c6bb80772f808bc2fb9227b10746be1d64d385ab7fbf01104c84fce31ba1d430a265323c0df7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
118KB
MD5e744a0e3713b8bd3dcbd71c814437235
SHA1b5f243f4c6122af4e6d9b5987a819219ffedcd2c
SHA25681d1c66af492b7a7ef2342501c5ed077cc9345eb1fc5c0f98b31beb357755665
SHA5120df9e46dbfb539cfa456d8de8f178991cef382538e6c7d7e45e1a6eaa81e2ce53c25e47c7533245ed3ac3392364d189d8bcfb9214994a3a27a199f9985ad9da2