Malware Analysis Report

2024-10-19 08:03

Sample ID 240809-b4sjdsyanb
Target bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6
SHA256 bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6
Tags
njrat neuf discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6

Threat Level: Known bad

The file bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6 was found to be: Known bad.

Malicious Activity Summary

njrat neuf discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 01:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 01:42

Reported

2024-08-09 01:44

Platform

win7-20240708-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe" C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3032 set thread context of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2884 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2884 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2884 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3032 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2768 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2768 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2768 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2768 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe

"C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp

Files

memory/2884-0-0x0000000074D61000-0x0000000074D62000-memory.dmp

memory/2884-1-0x0000000074D60000-0x000000007530B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab66D0.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar66E3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0f3a475247ddd71ed0a7bc0e1201b81
SHA1 971e427fd81a5d2e67872438260be00ad6d056f2
SHA256 7c5e64cf423fb72980ed375557e203a2c51ee1d00df011116a77740289cab8fb
SHA512 e667691e79fe58a073423ec1b286d4b796374a08f50a98776cc63f790434d79e9208998dc95fc53f85ad57cbe6df98cd48061f460cd8dc791b1abe70313df80c

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 2bb618b33b17fe35fecaa2896415988b
SHA1 d8db8afa43f44f71a06c0861ff1ae812929c3fbc
SHA256 bbbd0d390e6267559360fd3eff00f0d404f68890e8037c895f5b375f08e2678e
SHA512 2724b2ee69f2f4836dede8f906cd69ab09e0104a1af4b56263151e55ebe503d2d237d6245a673b060d87dabfe50566c733d195f06ab3d6c01655b0055bb05edd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 227ca95934f7dac8420218718a1cff6a
SHA1 a722abf84a5e341fe7698ba134f64f3d6a3e4c2f
SHA256 c1f1ffccf32d03015e8e479e02064b99db2cfa5dd19f590961ed4063168114c6
SHA512 30a5057bd92c38530bbe7292685e22b8a45ed6ec53f19fd85d50eec08c696444b98e3005f860ed4ca0912ba55f33d45ca45900735f38eb720e269da33ee10015

memory/2884-179-0x0000000074D60000-0x000000007530B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 e7122c733f9e37bba0ca4c985ce11d6d
SHA1 d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256 acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA512 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 bf41c2e1fcc783e466a4281c43fc8434
SHA1 183be19f7ba92c8c3110db466eae219fc9a5f21f
SHA256 9b8ae790e48e07b7e7cc057359fc2b1e986105f2982b0f6fd70b4ab6a7965360
SHA512 813c9e04748c58f53b0a3582f8a0f871f10dbc52c5ecbf7f7712edf704dadf04da606e1a5dbe91beb018a6097806f56f0938bb95b5eeae8742654ed1781148b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b99af8fec18d368e4bb3640423633682
SHA1 11344fec88001070489b23894ba82379356551b4
SHA256 3b86549db31e8d100d7ee3b0f376266ca9a6d5de2b59cd7937b77ffb82d5d6a0
SHA512 7c623c3c838e09db438993daf4fa08369bc59191ef98f8d572bec59b6a24646743a4accad2184be010d5fa22d56b5d9819a97024366bbe17f8ae1296014dd061

memory/2768-345-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2768-347-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2768-348-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 01:42

Reported

2024-08-09 01:44

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe" C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 408 set thread context of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2720 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2720 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 408 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1920 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1920 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1920 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe

"C:\Users\Admin\AppData\Local\Temp\bb83795052eaa51be80400ae78af06f3d236b6e10e5abf6e26e26397e1573be6.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
MA 196.217.66.97:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/2720-0-0x0000000074CF2000-0x0000000074CF3000-memory.dmp

memory/2720-1-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/2720-2-0x0000000074CF0000-0x00000000752A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 7200339855f1b9e9e2079789285c0362
SHA1 2d15a634babf33884c09ca4d7c2821c6ee7dc1f4
SHA256 b4911e4e5ad30f3fe44f742a26c47212ab07a156497dafa0b90a3249efc61525
SHA512 e04ad716c73200cf8fc7b33137b85f3bb878ca83deb68e0c7d6f5b1fd409e623c46d467bc45117549bdfcb46ecab80aa82bc47b4a48b42357caecde6d8a0baef

memory/408-18-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/2720-17-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/408-19-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/1920-20-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1920-24-0x0000000074CF0000-0x00000000752A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/1920-26-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/408-25-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/1920-27-0x0000000074CF0000-0x00000000752A1000-memory.dmp