Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2024 01:42

General

  • Target

    bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe

  • Size

    117KB

  • MD5

    768717b099b487b74d2008800bc506c1

  • SHA1

    3e1fb225aef46734c07cf3c7ae5d027a78ac118f

  • SHA256

    bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6

  • SHA512

    e7554cca931bf5218215fe490c65452837c0fe7c0f2e4f837c3139b2797200f54c102d3041c844dc88dfe6b3a1f247cb4f874b6e6b3c9dad64f9a0f5be491b07

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZ/61:P5eznsjsguGDFqGZ2rDLZ/Q

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe
    "C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    bf41c2e1fcc783e466a4281c43fc8434

    SHA1

    183be19f7ba92c8c3110db466eae219fc9a5f21f

    SHA256

    9b8ae790e48e07b7e7cc057359fc2b1e986105f2982b0f6fd70b4ab6a7965360

    SHA512

    813c9e04748c58f53b0a3582f8a0f871f10dbc52c5ecbf7f7712edf704dadf04da606e1a5dbe91beb018a6097806f56f0938bb95b5eeae8742654ed1781148b5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f0f3a475247ddd71ed0a7bc0e1201b81

    SHA1

    971e427fd81a5d2e67872438260be00ad6d056f2

    SHA256

    7c5e64cf423fb72980ed375557e203a2c51ee1d00df011116a77740289cab8fb

    SHA512

    e667691e79fe58a073423ec1b286d4b796374a08f50a98776cc63f790434d79e9208998dc95fc53f85ad57cbe6df98cd48061f460cd8dc791b1abe70313df80c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    227ca95934f7dac8420218718a1cff6a

    SHA1

    a722abf84a5e341fe7698ba134f64f3d6a3e4c2f

    SHA256

    c1f1ffccf32d03015e8e479e02064b99db2cfa5dd19f590961ed4063168114c6

    SHA512

    30a5057bd92c38530bbe7292685e22b8a45ed6ec53f19fd85d50eec08c696444b98e3005f860ed4ca0912ba55f33d45ca45900735f38eb720e269da33ee10015

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b99af8fec18d368e4bb3640423633682

    SHA1

    11344fec88001070489b23894ba82379356551b4

    SHA256

    3b86549db31e8d100d7ee3b0f376266ca9a6d5de2b59cd7937b77ffb82d5d6a0

    SHA512

    7c623c3c838e09db438993daf4fa08369bc59191ef98f8d572bec59b6a24646743a4accad2184be010d5fa22d56b5d9819a97024366bbe17f8ae1296014dd061

  • C:\Users\Admin\AppData\Local\Temp\Cab66D0.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar66E3.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    118KB

    MD5

    2bb618b33b17fe35fecaa2896415988b

    SHA1

    d8db8afa43f44f71a06c0861ff1ae812929c3fbc

    SHA256

    bbbd0d390e6267559360fd3eff00f0d404f68890e8037c895f5b375f08e2678e

    SHA512

    2724b2ee69f2f4836dede8f906cd69ab09e0104a1af4b56263151e55ebe503d2d237d6245a673b060d87dabfe50566c733d195f06ab3d6c01655b0055bb05edd

  • memory/2768-345-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2768-347-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2768-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2884-0-0x0000000074D61000-0x0000000074D62000-memory.dmp

    Filesize

    4KB

  • memory/2884-179-0x0000000074D60000-0x000000007530B000-memory.dmp

    Filesize

    5.7MB

  • memory/2884-1-0x0000000074D60000-0x000000007530B000-memory.dmp

    Filesize

    5.7MB