Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2024 04:06

General

  • Target

    f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe

  • Size

    115KB

  • MD5

    6b54aad21a79faadc1668f334debf2ff

  • SHA1

    a154459963ba5cd6f0e820648c9c9afaae88c208

  • SHA256

    f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55

  • SHA512

    4001393097bad0b269f7616a0e73f7ff383a23ff43ae9bec33c7665f0fdf3934ce9b10239146a914fe4dd76cc82b3573481ddc8f03648ff0cf1e30ce2e4e0d06

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVG:P5eznsjsguGDFqGZ2rDLk

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe
    "C:\Users\Admin\AppData\Local\Temp\f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2764

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    18c190066b7c920950bddb5b53d7ec5a

    SHA1

    cfef8a450e79edc15c6948365c14be94fb794172

    SHA256

    7f69c0ad6cb908c24656bc9a429a14a2665e81a4529b1741041e4a20ac05c8f8

    SHA512

    c9175c53a930fa3d2141f82dae0a6377ec162888f4e0c8e5c7680cfd1e3c2b1e6a9d04bd1d03049eba68a9a715656846b5796d95b48908bdac9e183c81fb10af

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    79381e2b6d775b1f43ac079c83e8ae9b

    SHA1

    158c92483914f65137f377f3062a1aa95e0fc6b4

    SHA256

    d846140b4ccd9b63d0d7bb31d58ee8ce755e95fca10fd7ecedb63d8e79a528e2

    SHA512

    8f3f73522ff3d4195421cf40b35844423751073ad26583f51396f16d6707bb7a0608e0c56dfa42ed0781458b6665f90304ea7868f68cf54d51a74549e9d57b37

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4bf80e2cd24b170852524677587dd35f

    SHA1

    e2e07486ce1b89cab76089b3f25c61cda77b97a5

    SHA256

    5798f3011801a75b3f08971d5d3106b1f14f8f02a12c97f8d1889c3fa2069656

    SHA512

    835b08f70341a13bd084c3b5d4cb42f20e2df308ba0d05c4d119cce1056c80c5665221bbe0835be44513c66bd29d558927585d5fccfd9aa800c14d6036fca14e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2b88a9760721e01af46b68adbc4d7886

    SHA1

    b6b0442905096555dc12a0e03f20a10d406d1b08

    SHA256

    3139180be7f7afa98c7b6f819de0943e4af204adfacc5daa84eb135156cb72db

    SHA512

    f55a696aeb33d56b3e89d1a3a97e59921b873bc4f06e0369184fef9dc9f195a473d894eb42e36ad0e9aa0a978fb022b0cde193631e2c6718617f197d73e7f620

  • C:\Users\Admin\AppData\Local\Temp\Cab4443.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar4446.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    115KB

    MD5

    2e3f23429c9a1b901520818b481aa015

    SHA1

    76d3e3c87be73944951feee9bc93a871c82df028

    SHA256

    687ba1a8579eb92fce619e61e19d354241a454c647ace5dce6017fc98821e79f

    SHA512

    83548c7f0e91fc88cd107ee45bc1a87748f095ba1d9482d404785bd327238bde6d7d4856280b84b8bac2d50e1974dca06e9ede94946627fb76f8038a46bc9be6

  • memory/2636-179-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/2636-0-0x0000000074071000-0x0000000074072000-memory.dmp

    Filesize

    4KB

  • memory/2636-1-0x0000000074070000-0x000000007461B000-memory.dmp

    Filesize

    5.7MB

  • memory/2916-345-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2916-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2916-347-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB