Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    07-08-2024 01:20

General

  • Target

    3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe

  • Size

    118KB

  • MD5

    7d9bdfd79d19c3747b6c8a901a87a6cb

  • SHA1

    bc1172b55a0444a917ee38da653258366d21b6a0

  • SHA256

    3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b

  • SHA512

    e8c14a6643776b9111f90e2a73f182970327cc562d1602dd78724be0b037136766b775161fd09bacc6692040d2e1da1fe3d286a01f078dff5f8c1c9f4a73a4c9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOA:P5eznsjsguGDFqGZ2rDL14FOA

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe
    "C:\Users\Admin\AppData\Local\Temp\3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    20fa3d1bacbc15929b131b4a2bd38cba

    SHA1

    16f0a13314a79920af88c19cb29bf8a14681858f

    SHA256

    983cb436fea342742b788cb7791ab95ace9b4c1dc5a3eebb7184040ce2794c19

    SHA512

    a5dc6394ba60a7776b649432f1d3ea632a7aa94977fed7d3f19e7e159efe6f66708b0fe29470375b328e6d4b9e3127bde760d4d44ba4e24bad3e2739051c6a02

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a16a2e79222e34830266ffc4e1a159dc

    SHA1

    0c56ad939b67447f52e456a705c87650a4f2eb6f

    SHA256

    70ebae878b2bb4647c21afc0c6c40820347b5c1f3be8528303f97c7ebe59a1d6

    SHA512

    ec24fab0588194f9e8579171da6703d55c0f0c7f37f6b172b9255e749f167a694f0349e019e5787d4d33baaaf887d2559e69d20e0463be5650dfcb7bffa068d5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cbed6c5c90f218162dfd4a14022fa57a

    SHA1

    54b9009269ed444edadd7b58d6dc05f9891453fd

    SHA256

    0cdd6f88d460c01e2db8a98da02a557f0a42f65901414425de05179095841200

    SHA512

    2b16cd3001ecfaaafddc625cdb0248024bc434b7f3bc8b67419b8457c6f12516ca8fa4cb51bafb2f96fea90f96f9ee2c943ccf9d79f0e17ec90b595942d51476

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    97a3896a619ba6a4b916ab67dd6317d6

    SHA1

    2c94a5534f07dd5835b743244064387abf82e384

    SHA256

    00dd59249fbe895fcbe4fe68048440351912a864390359f2165389ef4bf78c83

    SHA512

    3fd7e11a97ec0a6f7b46f1d7d09b516115570773e571b5e18678c6bb80772f808bc2fb9227b10746be1d64d385ab7fbf01104c84fce31ba1d430a265323c0df7

  • C:\Users\Admin\AppData\Local\Temp\CabA112.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarA1C0.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    118KB

    MD5

    e744a0e3713b8bd3dcbd71c814437235

    SHA1

    b5f243f4c6122af4e6d9b5987a819219ffedcd2c

    SHA256

    81d1c66af492b7a7ef2342501c5ed077cc9345eb1fc5c0f98b31beb357755665

    SHA512

    0df9e46dbfb539cfa456d8de8f178991cef382538e6c7d7e45e1a6eaa81e2ce53c25e47c7533245ed3ac3392364d189d8bcfb9214994a3a27a199f9985ad9da2

  • memory/648-176-0x0000000074F20000-0x00000000754CB000-memory.dmp

    Filesize

    5.7MB

  • memory/648-0-0x0000000074F21000-0x0000000074F22000-memory.dmp

    Filesize

    4KB

  • memory/648-9-0x0000000074F20000-0x00000000754CB000-memory.dmp

    Filesize

    5.7MB

  • memory/648-8-0x0000000074F20000-0x00000000754CB000-memory.dmp

    Filesize

    5.7MB

  • memory/2580-342-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2580-345-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2580-344-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB