Analysis
-
max time kernel
119s -
max time network
111s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
7abd36fd92bf444bcb8472ea1826d8e0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7abd36fd92bf444bcb8472ea1826d8e0N.exe
Resource
win10v2004-20240802-en
General
-
Target
7abd36fd92bf444bcb8472ea1826d8e0N.exe
-
Size
115KB
-
MD5
7abd36fd92bf444bcb8472ea1826d8e0
-
SHA1
88a481771faf9222dac2cf0527df77924718e50e
-
SHA256
caad0b85aaaf8044a8a4482cae5b1908295f68378a8c5cad31dad01024cabe82
-
SHA512
d43ad84cede27c5b7ff33befea5c655331d82ffdccf98659af7021d5334238a186f9214c9795a927daf4dcda75c6d9cbc440300047ee550ac7d816159c3ec684
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL10:P5eznsjsguGDFqGZ2rDL10
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2684 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2020 chargeable.exe 2336 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
7abd36fd92bf444bcb8472ea1826d8e0N.exepid process 2432 7abd36fd92bf444bcb8472ea1826d8e0N.exe 2432 7abd36fd92bf444bcb8472ea1826d8e0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7abd36fd92bf444bcb8472ea1826d8e0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 7abd36fd92bf444bcb8472ea1826d8e0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7abd36fd92bf444bcb8472ea1826d8e0N.exe" 7abd36fd92bf444bcb8472ea1826d8e0N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2020 set thread context of 2336 2020 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
netsh.exe7abd36fd92bf444bcb8472ea1826d8e0N.exechargeable.exechargeable.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7abd36fd92bf444bcb8472ea1826d8e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe Token: 33 2336 chargeable.exe Token: SeIncBasePriorityPrivilege 2336 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
7abd36fd92bf444bcb8472ea1826d8e0N.exechargeable.exechargeable.exedescription pid process target process PID 2432 wrote to memory of 2020 2432 7abd36fd92bf444bcb8472ea1826d8e0N.exe chargeable.exe PID 2432 wrote to memory of 2020 2432 7abd36fd92bf444bcb8472ea1826d8e0N.exe chargeable.exe PID 2432 wrote to memory of 2020 2432 7abd36fd92bf444bcb8472ea1826d8e0N.exe chargeable.exe PID 2432 wrote to memory of 2020 2432 7abd36fd92bf444bcb8472ea1826d8e0N.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2020 wrote to memory of 2336 2020 chargeable.exe chargeable.exe PID 2336 wrote to memory of 2684 2336 chargeable.exe netsh.exe PID 2336 wrote to memory of 2684 2336 chargeable.exe netsh.exe PID 2336 wrote to memory of 2684 2336 chargeable.exe netsh.exe PID 2336 wrote to memory of 2684 2336 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7abd36fd92bf444bcb8472ea1826d8e0N.exe"C:\Users\Admin\AppData\Local\Temp\7abd36fd92bf444bcb8472ea1826d8e0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2684
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5d8a95a524cddeb735200ff1374fcc691
SHA1d564691c7ac50d0a01460c905b25111f0ae812e8
SHA256ef33c58bfdb7234f16e6aaf3e63c9070b5af90a2d15345d34f613685175e1eeb
SHA5123da980788c9aa91017ffd3124a4330ff7d5a8e21536d21b45f49ad9ef7f710946a5eb0a52c5f445814122da0f18622ff10f5f41f941ca555a70bddba541949a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e3a4cb88da3629ecb9daa0ae6c138b4a
SHA1906e7a88e6a44c88bb54a268fc5e32d4fc235e17
SHA25656f6659481cfa7d2467c3ae0d040dae6674c7f1b1c019b04ca1828615752fa45
SHA512a10581a452e0a33d62c9e38487786a3862c190428cf4780ae74b161da08a346209edd2e3de30ed6845b77575af4349239f4c1a1d03a02a1073d7c9bf48a541a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b0a1fb477db924ff1fcb09272c1eacb1
SHA10aac9bb8257f6b56fcff0d6db2592d606e825075
SHA256e48e8d2680c24332ad3234dc60e94771780ef0ce7b56f9877bb058ca1497e4a4
SHA5129899321e6caaa6ff5256d424b31bf68b89c62cd8c43f409592cff6d615a8f0c02d85a5e2d9fd0fb396e8a98b93b687e2226187e39f61762ca01bd9e706789322
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57342474e214bee3c16b97f18cad07110
SHA19effb233fdc8b4f895c9eccdb6870059f64fb82e
SHA25641e0b14e20c2f7401870c3e641c779d09d716178a128f1a7d3b86a49032e9b38
SHA5125c9af6b4880d2cfae36495e56a309d3ce41d5c56be5c661518a0e2468c5c854f8345db8d4a6b581d88f97d592248a72303a917a6a0f783b84ca68533acc47cec
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
116KB
MD5825c82824bd0a4b2c5b7aa565a9402e9
SHA1c0899e787fda60c1ae795e02c99f1d22e832c56f
SHA2569b3f9d48cbe4b3d46651c0129d48e185cc64982856ad3b0174631bfc89e6c665
SHA51214519b3aca0d068c97cdabe95f65d8438b79b674a52dd4cea97004fd7fa4a984b1c22f9c05eb822ddefe959d9902a4f0130daa674c0a42c980aa7067850e8312