Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 04:15
Static task
static1
Behavioral task
behavioral1
Sample
f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe
Resource
win10v2004-20240802-en
General
-
Target
f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe
-
Size
116KB
-
MD5
2aa632496e8fcc2d350f40fc2c783454
-
SHA1
ce2b94d7a3a8f1f10b294bf614d05636d38b65ea
-
SHA256
f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f
-
SHA512
c30dd0d9463d619036961b8338eb13d9d9b5b5f7b5ebacb90a72bd1e3e32b6b064024c8a018d16b6dcad9d9cb687e1e6f610a96a3b826d650d7fae1868e31b5a
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLi:P5eznsjsguGDFqGZ2rDLi
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2868 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 1900 chargeable.exe 2848 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exepid process 2544 f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe 2544 f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe" f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 1900 set thread context of 2848 1900 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe Token: 33 2848 chargeable.exe Token: SeIncBasePriorityPrivilege 2848 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exechargeable.exechargeable.exedescription pid process target process PID 2544 wrote to memory of 1900 2544 f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe chargeable.exe PID 2544 wrote to memory of 1900 2544 f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe chargeable.exe PID 2544 wrote to memory of 1900 2544 f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe chargeable.exe PID 2544 wrote to memory of 1900 2544 f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 1900 wrote to memory of 2848 1900 chargeable.exe chargeable.exe PID 2848 wrote to memory of 2868 2848 chargeable.exe netsh.exe PID 2848 wrote to memory of 2868 2848 chargeable.exe netsh.exe PID 2848 wrote to memory of 2868 2848 chargeable.exe netsh.exe PID 2848 wrote to memory of 2868 2848 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe"C:\Users\Admin\AppData\Local\Temp\f45517c9e224d5ded7c3440f1247c20f464fdc1e2391ba371ac2a2a940eb286f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5e3b8761cbe1998551ddfa21a436d6a99
SHA13a2418507f1a15732508831b547df30024f3e7e2
SHA256ce65f150262f8f56e4ca43b2d05f08ab5cf09c53c714b9faead040f29701f993
SHA51226a39ba65a71b84725e0d32c4d315d2c93cf7c603ca603fa003892e73c558eefdece304cdb99a4d9dd870cbeef939a7fc8d556963b3caa2b3cb3c2c8e45fa387
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5309413ef959fcca4bb4655e203f8e08f
SHA1166d21f6cc245d98238634eb567659106aa9dbec
SHA256ff0d231929a4213c45592186dc95501a76f3537338ff7006d8679bc7edb82228
SHA512483207418feb8d3c90f5bda040f4bd6b8e6f9fc8bd1baaf10daa848b6082d23b0b42bcdb29a627457fed65d5d0284bcbec6ba92809eee3f599e5f98bc66e5afd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD565c76f341db8d72285c2db67ae1ba477
SHA1ffdaaf9c376e1f5e43bd9b60a9bd66424c922792
SHA256fda5918e2c35e01cf8c9bd2f4deb846889dc299db11840fd23349b32f1b61bcf
SHA5123c351e33c50be71f9fe285adf0e29fab497b0996ae0daac931112aa8b4bb643ad36b3661f82e50fdc3c62ccf6ecd197a82f8acc1a9d06c4b941d329d043539db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522fb496296fa13051d01fa60f71ea6c1
SHA12c9e5283d448a933c7a792ab45edf88013a89d1e
SHA256b4d2d763d0c263b3ab168d153d8e95a4e214b1df25986b458397548bbd37ef63
SHA512fee555646598e668e24ae58d128fc093a4c760cd07b95ac8c01d03b6cace6231df5ecd5259884419407c169bc1f422f743b2721dd17b27728855e8b02216ac5d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
116KB
MD5acccbb84ce61eb7572ea5b8aaa2debfb
SHA1872716df423ca8bb5492c1a1ba5baa635fd24f5f
SHA256be0963a7f7b95e46cbd2f3920a7dafb0bc48db3ff3f3fb2e3f104e300045f673
SHA512d58aaa31881479b4a44661e93d26b8b72d66b5cc39e4f3eef8045da07d806f3654ced92f65d72649d68a5494b48ab68a08dbd1328bd644c0456683b08e1b41d8