Analysis

  • max time kernel
    119s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 13:55

General

  • Target

    7abd36fd92bf444bcb8472ea1826d8e0N.exe

  • Size

    115KB

  • MD5

    7abd36fd92bf444bcb8472ea1826d8e0

  • SHA1

    88a481771faf9222dac2cf0527df77924718e50e

  • SHA256

    caad0b85aaaf8044a8a4482cae5b1908295f68378a8c5cad31dad01024cabe82

  • SHA512

    d43ad84cede27c5b7ff33befea5c655331d82ffdccf98659af7021d5334238a186f9214c9795a927daf4dcda75c6d9cbc440300047ee550ac7d816159c3ec684

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL10:P5eznsjsguGDFqGZ2rDL10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7abd36fd92bf444bcb8472ea1826d8e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\7abd36fd92bf444bcb8472ea1826d8e0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2684

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    d8a95a524cddeb735200ff1374fcc691

    SHA1

    d564691c7ac50d0a01460c905b25111f0ae812e8

    SHA256

    ef33c58bfdb7234f16e6aaf3e63c9070b5af90a2d15345d34f613685175e1eeb

    SHA512

    3da980788c9aa91017ffd3124a4330ff7d5a8e21536d21b45f49ad9ef7f710946a5eb0a52c5f445814122da0f18622ff10f5f41f941ca555a70bddba541949a2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e3a4cb88da3629ecb9daa0ae6c138b4a

    SHA1

    906e7a88e6a44c88bb54a268fc5e32d4fc235e17

    SHA256

    56f6659481cfa7d2467c3ae0d040dae6674c7f1b1c019b04ca1828615752fa45

    SHA512

    a10581a452e0a33d62c9e38487786a3862c190428cf4780ae74b161da08a346209edd2e3de30ed6845b77575af4349239f4c1a1d03a02a1073d7c9bf48a541a3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b0a1fb477db924ff1fcb09272c1eacb1

    SHA1

    0aac9bb8257f6b56fcff0d6db2592d606e825075

    SHA256

    e48e8d2680c24332ad3234dc60e94771780ef0ce7b56f9877bb058ca1497e4a4

    SHA512

    9899321e6caaa6ff5256d424b31bf68b89c62cd8c43f409592cff6d615a8f0c02d85a5e2d9fd0fb396e8a98b93b687e2226187e39f61762ca01bd9e706789322

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7342474e214bee3c16b97f18cad07110

    SHA1

    9effb233fdc8b4f895c9eccdb6870059f64fb82e

    SHA256

    41e0b14e20c2f7401870c3e641c779d09d716178a128f1a7d3b86a49032e9b38

    SHA512

    5c9af6b4880d2cfae36495e56a309d3ce41d5c56be5c661518a0e2468c5c854f8345db8d4a6b581d88f97d592248a72303a917a6a0f783b84ca68533acc47cec

  • C:\Users\Admin\AppData\Local\Temp\CabF375.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF3A7.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    116KB

    MD5

    825c82824bd0a4b2c5b7aa565a9402e9

    SHA1

    c0899e787fda60c1ae795e02c99f1d22e832c56f

    SHA256

    9b3f9d48cbe4b3d46651c0129d48e185cc64982856ad3b0174631bfc89e6c665

    SHA512

    14519b3aca0d068c97cdabe95f65d8438b79b674a52dd4cea97004fd7fa4a984b1c22f9c05eb822ddefe959d9902a4f0130daa674c0a42c980aa7067850e8312

  • memory/2336-346-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2336-349-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2336-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2432-182-0x0000000073D80000-0x000000007432B000-memory.dmp

    Filesize

    5.7MB

  • memory/2432-0-0x0000000073D81000-0x0000000073D82000-memory.dmp

    Filesize

    4KB

  • memory/2432-2-0x0000000073D80000-0x000000007432B000-memory.dmp

    Filesize

    5.7MB

  • memory/2432-1-0x0000000073D80000-0x000000007432B000-memory.dmp

    Filesize

    5.7MB