Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-08-2024 21:15
Static task
static1
Behavioral task
behavioral1
Sample
449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe
Resource
win10v2004-20240802-en
General
-
Target
449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe
-
Size
116KB
-
MD5
d9df789ef3b86057d0aa6e3bda146af3
-
SHA1
7314a62d95cda84d53fedd9eccf3d2d39c11beca
-
SHA256
449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4
-
SHA512
ff9d843a3998d207c08b0655f8ea41bdb7b4c31e102b5558491d862ad828fc14e368cbb05762c4e83e7fb6d815ff57f6dd3349acf62556ffc45e9ef02f926629
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeHk:P5eznsjsguGDFqGZ2rN
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2936 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2356 chargeable.exe 2820 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exepid process 2296 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe 2296 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe" 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2356 set thread context of 2820 2356 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe Token: 33 2820 chargeable.exe Token: SeIncBasePriorityPrivilege 2820 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exechargeable.exechargeable.exedescription pid process target process PID 2296 wrote to memory of 2356 2296 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe chargeable.exe PID 2296 wrote to memory of 2356 2296 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe chargeable.exe PID 2296 wrote to memory of 2356 2296 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe chargeable.exe PID 2296 wrote to memory of 2356 2296 449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2356 wrote to memory of 2820 2356 chargeable.exe chargeable.exe PID 2820 wrote to memory of 2936 2820 chargeable.exe netsh.exe PID 2820 wrote to memory of 2936 2820 chargeable.exe netsh.exe PID 2820 wrote to memory of 2936 2820 chargeable.exe netsh.exe PID 2820 wrote to memory of 2936 2820 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe"C:\Users\Admin\AppData\Local\Temp\449d48054397979cf6c9c19e089dcb5eb8196426987e0fa4da2c59f8c9b98dc4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58efb23a3a922a5c5ae8aed7c95747d16
SHA1fd362f0dd9139284b7c7724edb168df90cbd339e
SHA256775e0f179399485dbd69aa7ccf7cf9a0aa579b3ca8722b42549b0a51b4bbd412
SHA512aaecfc03f6caa5046a6b9dd74551bc83c127dc4040a0b2cf97231beec384680bb8120652ee6884f4d9bd10bc35431f8948cea6ed364f54df69ce26a14e60eafd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c1cbf8e0390990118f6cd9cde8ac59a5
SHA146685d63f103fbe25c1e4d36414ca27456d6de16
SHA2560797cc306cbbc09d961ec40fa6cd327e71e4492d63fcb1c083071bf4f2dd0842
SHA5127bc72339b288252270eed747f0b360050b123d86f1bacf8b9f55b200821d96ddff641b2c1bd1a572de1bbe1dfb464efa5bd3c53e7dc382e4860307d15003aade
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52bd8915a9883dcd224e3f48c7713739b
SHA191e0b3c299a7a0416b561517dcadec129da12565
SHA256cb81e5d048867ec0b51f4ec55de5d2c5c668f71f3e1a547bff34e0c19f452070
SHA5126df57a4a702118ce28112d8ffce8cad07666618c8a56304968a88a6b0913d97e676000391412645ef56e68dc0752fd368e926647f245c5ef61b0e1a5adb908e5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
116KB
MD5a51cd3c8d08fc6c719992b0975fc2cf1
SHA1594a4c5e855d9a3272492052cba8223aa4af9a4d
SHA2564aa4adf12ca3cb39ab1bd5a4ecb3de8cab8373ce11b9397c6a45f96d7fc9f047
SHA51258daa802ecd79ac1d04abb5f62b934765aed185879097712de00a0207e9cf14477ed015cb26375788d6127496a865f0d363b434227f6ff7fe9712cbd9cfe46f5