Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 01:30
Static task
static1
Behavioral task
behavioral1
Sample
9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe
Resource
win10v2004-20240802-en
General
-
Target
9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe
-
Size
116KB
-
MD5
54a24ca4e86b1e12d170b500b188d2b4
-
SHA1
9a12377ca1121a36636e81c37ac4d47b2b7e3f0d
-
SHA256
9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8
-
SHA512
b56a04e965ae54b686ed9bcd1b3a9541e5d4a000b2ecf5ea92ad5d29fd548278eb2253973b61ce6f7aa7cb4a5164e955bf4f15b37745a25aadc0dedfac5ffa8e
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeae:P5eznsjsguGDFqGZ2rG
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2744 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2936 chargeable.exe 2704 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exepid process 1996 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe 1996 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe" 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2936 set thread context of 2704 2936 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe Token: 33 2704 chargeable.exe Token: SeIncBasePriorityPrivilege 2704 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exechargeable.exechargeable.exedescription pid process target process PID 1996 wrote to memory of 2936 1996 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe chargeable.exe PID 1996 wrote to memory of 2936 1996 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe chargeable.exe PID 1996 wrote to memory of 2936 1996 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe chargeable.exe PID 1996 wrote to memory of 2936 1996 9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2936 wrote to memory of 2704 2936 chargeable.exe chargeable.exe PID 2704 wrote to memory of 2744 2704 chargeable.exe netsh.exe PID 2704 wrote to memory of 2744 2704 chargeable.exe netsh.exe PID 2704 wrote to memory of 2744 2704 chargeable.exe netsh.exe PID 2704 wrote to memory of 2744 2704 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe"C:\Users\Admin\AppData\Local\Temp\9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2744
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5a604ea1ec00fa9e2bca3a0d08ba01f51
SHA124538f128c85d8a1101b6366fb354ef95ab35728
SHA2563c161ef5d086ae7c0665d10afc77e281c7f6a874fd48ab6fb49f98cd54fbdba4
SHA51293e49357b233b27a49d9b4d72cbfe2871ca52c537c2ccff8703823a9ff32ad849bd15805744b0901b5fcf506f74fc59435591b30fe04d02bd7efe4b503c74822
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518247dcae3cda658d8d063a7d139c033
SHA157fe3e11cde4e5fcf7fa44f0b9392a45b7423b36
SHA2568a06a6462131468619467c76c370aff3844efd6455b4ef8c5ac246c426e392bf
SHA5124e5ad31d96eac381584917446bd162d245d8993d7854c6bba6a41fd0cbe768ced4acc55b412d51cd4013d543afaca8c09904bf8ffec4d712751acabaa5c2388f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f7ad5ded7de90610e1351ddec3c9b6d
SHA1259600fc70640da427226750096d95e3c3e27ddc
SHA25654ff911bd1bf1e0c53270c41f740808f136cd9dcf65c65e132834b2a18ce7811
SHA5129c0b933498757fb7225a226bb711cf3a5928b31725a71de7f7e17ef54567b63464ce745c7c531bf1a4e2250c843b53361fe5d9a6c2cc9871b4c4876eca54b804
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e79d3557b6e6be89ee99a4c7663aaf8c
SHA18730f831b3c820b0ac24f3dc8e328b763ae5c89c
SHA256aeaf0c2ec79b8d2828464acadc9ffd62d20469b58013e16f9a749be5c760dea2
SHA5121ba7202885d9a5b60c52a488f963cf041f2cb594e176d4005cfab002f34f0187601e4eb2cca2da047909aec47fe5d726aa35e1dce1d5994a10e6e850a0d393d1
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
116KB
MD593cc9e4da1b4dcee7a580b1ed74850e5
SHA1c0a406ef0a9fcf2d7183d8b0f26a5651d08803e9
SHA256f9bb5b6d1a3eafa316fc203bf61456b80098d0f5599749cf49fec296c64b84d6
SHA5126294c70e3982357fa6e1f66032bbfb904ab03f671c4411053d3bbae8ee908e38b2d9ae3f87f82a908dff43e97c90b0d539fd55f9db967adbd72d95ccf3d0f1ff