Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe
Resource
win10v2004-20240802-en
General
-
Target
f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe
-
Size
115KB
-
MD5
6b54aad21a79faadc1668f334debf2ff
-
SHA1
a154459963ba5cd6f0e820648c9c9afaae88c208
-
SHA256
f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55
-
SHA512
4001393097bad0b269f7616a0e73f7ff383a23ff43ae9bec33c7665f0fdf3934ce9b10239146a914fe4dd76cc82b3573481ddc8f03648ff0cf1e30ce2e4e0d06
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVG:P5eznsjsguGDFqGZ2rDLk
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2764 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 812 chargeable.exe 2916 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exepid process 2636 f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe 2636 f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe" f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 812 set thread context of 2916 812 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe Token: 33 2916 chargeable.exe Token: SeIncBasePriorityPrivilege 2916 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exechargeable.exechargeable.exedescription pid process target process PID 2636 wrote to memory of 812 2636 f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe chargeable.exe PID 2636 wrote to memory of 812 2636 f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe chargeable.exe PID 2636 wrote to memory of 812 2636 f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe chargeable.exe PID 2636 wrote to memory of 812 2636 f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 812 wrote to memory of 2916 812 chargeable.exe chargeable.exe PID 2916 wrote to memory of 2764 2916 chargeable.exe netsh.exe PID 2916 wrote to memory of 2764 2916 chargeable.exe netsh.exe PID 2916 wrote to memory of 2764 2916 chargeable.exe netsh.exe PID 2916 wrote to memory of 2764 2916 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe"C:\Users\Admin\AppData\Local\Temp\f23016865d720ea3fbdd46458e56aae004fc847c61d39fc22136f48151dcae55.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD518c190066b7c920950bddb5b53d7ec5a
SHA1cfef8a450e79edc15c6948365c14be94fb794172
SHA2567f69c0ad6cb908c24656bc9a429a14a2665e81a4529b1741041e4a20ac05c8f8
SHA512c9175c53a930fa3d2141f82dae0a6377ec162888f4e0c8e5c7680cfd1e3c2b1e6a9d04bd1d03049eba68a9a715656846b5796d95b48908bdac9e183c81fb10af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579381e2b6d775b1f43ac079c83e8ae9b
SHA1158c92483914f65137f377f3062a1aa95e0fc6b4
SHA256d846140b4ccd9b63d0d7bb31d58ee8ce755e95fca10fd7ecedb63d8e79a528e2
SHA5128f3f73522ff3d4195421cf40b35844423751073ad26583f51396f16d6707bb7a0608e0c56dfa42ed0781458b6665f90304ea7868f68cf54d51a74549e9d57b37
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54bf80e2cd24b170852524677587dd35f
SHA1e2e07486ce1b89cab76089b3f25c61cda77b97a5
SHA2565798f3011801a75b3f08971d5d3106b1f14f8f02a12c97f8d1889c3fa2069656
SHA512835b08f70341a13bd084c3b5d4cb42f20e2df308ba0d05c4d119cce1056c80c5665221bbe0835be44513c66bd29d558927585d5fccfd9aa800c14d6036fca14e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52b88a9760721e01af46b68adbc4d7886
SHA1b6b0442905096555dc12a0e03f20a10d406d1b08
SHA2563139180be7f7afa98c7b6f819de0943e4af204adfacc5daa84eb135156cb72db
SHA512f55a696aeb33d56b3e89d1a3a97e59921b873bc4f06e0369184fef9dc9f195a473d894eb42e36ad0e9aa0a978fb022b0cde193631e2c6718617f197d73e7f620
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
115KB
MD52e3f23429c9a1b901520818b481aa015
SHA176d3e3c87be73944951feee9bc93a871c82df028
SHA256687ba1a8579eb92fce619e61e19d354241a454c647ace5dce6017fc98821e79f
SHA51283548c7f0e91fc88cd107ee45bc1a87748f095ba1d9482d404785bd327238bde6d7d4856280b84b8bac2d50e1974dca06e9ede94946627fb76f8038a46bc9be6