Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    11-08-2024 04:15

General

  • Target

    f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe

  • Size

    116KB

  • MD5

    2aa632496e8fcc2d350f40fc2c783454

  • SHA1

    ce2b94d7a3a8f1f10b294bf614d05636d38b65ea

  • SHA256

    f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f

  • SHA512

    c30dd0d9463d619036961b8338eb13d9d9b5b5f7b5ebacb90a72bd1e3e32b6b064024c8a018d16b6dcad9d9cb687e1e6f610a96a3b826d650d7fae1868e31b5a

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLi:P5eznsjsguGDFqGZ2rDLi

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe
    "C:\Users\Admin\AppData\Local\Temp\f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    e3b8761cbe1998551ddfa21a436d6a99

    SHA1

    3a2418507f1a15732508831b547df30024f3e7e2

    SHA256

    ce65f150262f8f56e4ca43b2d05f08ab5cf09c53c714b9faead040f29701f993

    SHA512

    26a39ba65a71b84725e0d32c4d315d2c93cf7c603ca603fa003892e73c558eefdece304cdb99a4d9dd870cbeef939a7fc8d556963b3caa2b3cb3c2c8e45fa387

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    309413ef959fcca4bb4655e203f8e08f

    SHA1

    166d21f6cc245d98238634eb567659106aa9dbec

    SHA256

    ff0d231929a4213c45592186dc95501a76f3537338ff7006d8679bc7edb82228

    SHA512

    483207418feb8d3c90f5bda040f4bd6b8e6f9fc8bd1baaf10daa848b6082d23b0b42bcdb29a627457fed65d5d0284bcbec6ba92809eee3f599e5f98bc66e5afd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    65c76f341db8d72285c2db67ae1ba477

    SHA1

    ffdaaf9c376e1f5e43bd9b60a9bd66424c922792

    SHA256

    fda5918e2c35e01cf8c9bd2f4deb846889dc299db11840fd23349b32f1b61bcf

    SHA512

    3c351e33c50be71f9fe285adf0e29fab497b0996ae0daac931112aa8b4bb643ad36b3661f82e50fdc3c62ccf6ecd197a82f8acc1a9d06c4b941d329d043539db

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    22fb496296fa13051d01fa60f71ea6c1

    SHA1

    2c9e5283d448a933c7a792ab45edf88013a89d1e

    SHA256

    b4d2d763d0c263b3ab168d153d8e95a4e214b1df25986b458397548bbd37ef63

    SHA512

    fee555646598e668e24ae58d128fc093a4c760cd07b95ac8c01d03b6cace6231df5ecd5259884419407c169bc1f422f743b2721dd17b27728855e8b02216ac5d

  • C:\Users\Admin\AppData\Local\Temp\CabE3CC.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE42D.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    116KB

    MD5

    acccbb84ce61eb7572ea5b8aaa2debfb

    SHA1

    872716df423ca8bb5492c1a1ba5baa635fd24f5f

    SHA256

    be0963a7f7b95e46cbd2f3920a7dafb0bc48db3ff3f3fb2e3f104e300045f673

    SHA512

    d58aaa31881479b4a44661e93d26b8b72d66b5cc39e4f3eef8045da07d806f3654ced92f65d72649d68a5494b48ab68a08dbd1328bd644c0456683b08e1b41d8

  • memory/2544-180-0x0000000074510000-0x0000000074ABB000-memory.dmp

    Filesize

    5.7MB

  • memory/2544-0-0x0000000074511000-0x0000000074512000-memory.dmp

    Filesize

    4KB

  • memory/2544-2-0x0000000074510000-0x0000000074ABB000-memory.dmp

    Filesize

    5.7MB

  • memory/2544-1-0x0000000074510000-0x0000000074ABB000-memory.dmp

    Filesize

    5.7MB

  • memory/2848-346-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2848-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2848-349-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB