Analysis
-
max time kernel
101s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-08-2024 05:15
Static task
static1
Behavioral task
behavioral1
Sample
603029651e4069dd134008902983c360N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
603029651e4069dd134008902983c360N.exe
Resource
win10v2004-20240802-en
General
-
Target
603029651e4069dd134008902983c360N.exe
-
Size
114KB
-
MD5
603029651e4069dd134008902983c360
-
SHA1
f3208df5baf88764b1398c576da36155708453cb
-
SHA256
aa6814fc37879b6a828fcd3d44eec380b4b1cf392902d2a29e74062f07f5e45b
-
SHA512
2d398cf820b380db9aadf91d023fed6aecb766eb95373475125f8b4148a88c687bc0191fd5b7812342eb28b78fc627cabc1ff0528fb092454a55c79c0870208c
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDJ:P5eznsjsguGDFqGZ2rDJ
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
603029651e4069dd134008902983c360N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation 603029651e4069dd134008902983c360N.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2520 chargeable.exe 1588 chargeable.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
603029651e4069dd134008902983c360N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 603029651e4069dd134008902983c360N.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\603029651e4069dd134008902983c360N.exe" 603029651e4069dd134008902983c360N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2520 set thread context of 1588 2520 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3840 1588 WerFault.exe chargeable.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
603029651e4069dd134008902983c360N.exechargeable.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 603029651e4069dd134008902983c360N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
603029651e4069dd134008902983c360N.exechargeable.exedescription pid process target process PID 1780 wrote to memory of 2520 1780 603029651e4069dd134008902983c360N.exe chargeable.exe PID 1780 wrote to memory of 2520 1780 603029651e4069dd134008902983c360N.exe chargeable.exe PID 1780 wrote to memory of 2520 1780 603029651e4069dd134008902983c360N.exe chargeable.exe PID 2520 wrote to memory of 1588 2520 chargeable.exe chargeable.exe PID 2520 wrote to memory of 1588 2520 chargeable.exe chargeable.exe PID 2520 wrote to memory of 1588 2520 chargeable.exe chargeable.exe PID 2520 wrote to memory of 1588 2520 chargeable.exe chargeable.exe PID 2520 wrote to memory of 1588 2520 chargeable.exe chargeable.exe PID 2520 wrote to memory of 1588 2520 chargeable.exe chargeable.exe PID 2520 wrote to memory of 1588 2520 chargeable.exe chargeable.exe PID 2520 wrote to memory of 1588 2520 chargeable.exe chargeable.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\603029651e4069dd134008902983c360N.exe"C:\Users\Admin\AppData\Local\Temp\603029651e4069dd134008902983c360N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1524⤵
- Program crash
PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1588 -ip 15881⤵PID:788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD55f3b03ed9980db22ac726a54fd577bea
SHA16b6f0912997c14f46d58026c887d35761a842b72
SHA256d1e5934f534ffe3bb8657ef9033216642f995a585f69f7b680c9fe453a7484f4
SHA512cb2bbe4762a9aef83f018580a3284d1ffec9db488312f20d57a79d7a06e2f4d46864a97841b3e8b46d29d02da3e92c48c613f72f208e9cf45c2152fdd7bdd825