Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-08-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe
Resource
win10v2004-20240802-en
General
-
Target
bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe
-
Size
117KB
-
MD5
768717b099b487b74d2008800bc506c1
-
SHA1
3e1fb225aef46734c07cf3c7ae5d027a78ac118f
-
SHA256
bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6
-
SHA512
e7554cca931bf5218215fe490c65452837c0fe7c0f2e4f837c3139b2797200f54c102d3041c844dc88dfe6b3a1f247cb4f874b6e6b3c9dad64f9a0f5be491b07
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZ/61:P5eznsjsguGDFqGZ2rDLZ/Q
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2724 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 3032 chargeable.exe 2768 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exepid process 2884 bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe 2884 bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe" bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 3032 set thread context of 2768 3032 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe Token: 33 2768 chargeable.exe Token: SeIncBasePriorityPrivilege 2768 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exechargeable.exechargeable.exedescription pid process target process PID 2884 wrote to memory of 3032 2884 bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe chargeable.exe PID 2884 wrote to memory of 3032 2884 bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe chargeable.exe PID 2884 wrote to memory of 3032 2884 bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe chargeable.exe PID 2884 wrote to memory of 3032 2884 bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 3032 wrote to memory of 2768 3032 chargeable.exe chargeable.exe PID 2768 wrote to memory of 2724 2768 chargeable.exe netsh.exe PID 2768 wrote to memory of 2724 2768 chargeable.exe netsh.exe PID 2768 wrote to memory of 2724 2768 chargeable.exe netsh.exe PID 2768 wrote to memory of 2724 2768 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe"C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5bf41c2e1fcc783e466a4281c43fc8434
SHA1183be19f7ba92c8c3110db466eae219fc9a5f21f
SHA2569b8ae790e48e07b7e7cc057359fc2b1e986105f2982b0f6fd70b4ab6a7965360
SHA512813c9e04748c58f53b0a3582f8a0f871f10dbc52c5ecbf7f7712edf704dadf04da606e1a5dbe91beb018a6097806f56f0938bb95b5eeae8742654ed1781148b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f0f3a475247ddd71ed0a7bc0e1201b81
SHA1971e427fd81a5d2e67872438260be00ad6d056f2
SHA2567c5e64cf423fb72980ed375557e203a2c51ee1d00df011116a77740289cab8fb
SHA512e667691e79fe58a073423ec1b286d4b796374a08f50a98776cc63f790434d79e9208998dc95fc53f85ad57cbe6df98cd48061f460cd8dc791b1abe70313df80c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5227ca95934f7dac8420218718a1cff6a
SHA1a722abf84a5e341fe7698ba134f64f3d6a3e4c2f
SHA256c1f1ffccf32d03015e8e479e02064b99db2cfa5dd19f590961ed4063168114c6
SHA51230a5057bd92c38530bbe7292685e22b8a45ed6ec53f19fd85d50eec08c696444b98e3005f860ed4ca0912ba55f33d45ca45900735f38eb720e269da33ee10015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b99af8fec18d368e4bb3640423633682
SHA111344fec88001070489b23894ba82379356551b4
SHA2563b86549db31e8d100d7ee3b0f376266ca9a6d5de2b59cd7937b77ffb82d5d6a0
SHA5127c623c3c838e09db438993daf4fa08369bc59191ef98f8d572bec59b6a24646743a4accad2184be010d5fa22d56b5d9819a97024366bbe17f8ae1296014dd061
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
118KB
MD52bb618b33b17fe35fecaa2896415988b
SHA1d8db8afa43f44f71a06c0861ff1ae812929c3fbc
SHA256bbbd0d390e6267559360fd3eff00f0d404f68890e8037c895f5b375f08e2678e
SHA5122724b2ee69f2f4836dede8f906cd69ab09e0104a1af4b56263151e55ebe503d2d237d6245a673b060d87dabfe50566c733d195f06ab3d6c01655b0055bb05edd