Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07-08-2024 21:15

General

  • Target

    449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe

  • Size

    116KB

  • MD5

    d9df789ef3b86057d0aa6e3bda146af3

  • SHA1

    7314a62d95cda84d53fedd9eccf3d2d39c11beca

  • SHA256

    449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4

  • SHA512

    ff9d843a3998d207c08b0655f8ea41bdb7b4c31e102b5558491d862ad828fc14e368cbb05762c4e83e7fb6d815ff57f6dd3349acf62556ffc45e9ef02f926629

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeHk:P5eznsjsguGDFqGZ2rN

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe
    "C:\Users\Admin\AppData\Local\Temp\449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8efb23a3a922a5c5ae8aed7c95747d16

    SHA1

    fd362f0dd9139284b7c7724edb168df90cbd339e

    SHA256

    775e0f179399485dbd69aa7ccf7cf9a0aa579b3ca8722b42549b0a51b4bbd412

    SHA512

    aaecfc03f6caa5046a6b9dd74551bc83c127dc4040a0b2cf97231beec384680bb8120652ee6884f4d9bd10bc35431f8948cea6ed364f54df69ce26a14e60eafd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c1cbf8e0390990118f6cd9cde8ac59a5

    SHA1

    46685d63f103fbe25c1e4d36414ca27456d6de16

    SHA256

    0797cc306cbbc09d961ec40fa6cd327e71e4492d63fcb1c083071bf4f2dd0842

    SHA512

    7bc72339b288252270eed747f0b360050b123d86f1bacf8b9f55b200821d96ddff641b2c1bd1a572de1bbe1dfb464efa5bd3c53e7dc382e4860307d15003aade

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2bd8915a9883dcd224e3f48c7713739b

    SHA1

    91e0b3c299a7a0416b561517dcadec129da12565

    SHA256

    cb81e5d048867ec0b51f4ec55de5d2c5c668f71f3e1a547bff34e0c19f452070

    SHA512

    6df57a4a702118ce28112d8ffce8cad07666618c8a56304968a88a6b0913d97e676000391412645ef56e68dc0752fd368e926647f245c5ef61b0e1a5adb908e5

  • C:\Users\Admin\AppData\Local\Temp\CabAAB3.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarAAC5.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    116KB

    MD5

    a51cd3c8d08fc6c719992b0975fc2cf1

    SHA1

    594a4c5e855d9a3272492052cba8223aa4af9a4d

    SHA256

    4aa4adf12ca3cb39ab1bd5a4ecb3de8cab8373ce11b9397c6a45f96d7fc9f047

    SHA512

    58daa802ecd79ac1d04abb5f62b934765aed185879097712de00a0207e9cf14477ed015cb26375788d6127496a865f0d363b434227f6ff7fe9712cbd9cfe46f5

  • memory/2296-0-0x0000000074931000-0x0000000074932000-memory.dmp

    Filesize

    4KB

  • memory/2296-177-0x0000000074930000-0x0000000074EDB000-memory.dmp

    Filesize

    5.7MB

  • memory/2296-2-0x0000000074930000-0x0000000074EDB000-memory.dmp

    Filesize

    5.7MB

  • memory/2296-1-0x0000000074930000-0x0000000074EDB000-memory.dmp

    Filesize

    5.7MB

  • memory/2820-341-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2820-343-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2820-344-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB