Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 01:30

General

  • Target

    9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe

  • Size

    116KB

  • MD5

    54a24ca4e86b1e12d170b500b188d2b4

  • SHA1

    9a12377ca1121a36636e81c37ac4d47b2b7e3f0d

  • SHA256

    9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8

  • SHA512

    b56a04e965ae54b686ed9bcd1b3a9541e5d4a000b2ecf5ea92ad5d29fd548278eb2253973b61ce6f7aa7cb4a5164e955bf4f15b37745a25aadc0dedfac5ffa8e

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeae:P5eznsjsguGDFqGZ2rG

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe
    "C:\Users\Admin\AppData\Local\Temp\9b2117cb443b102c2898569636bf88b12c57e995c21e0fac08552b63843693d8.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    a604ea1ec00fa9e2bca3a0d08ba01f51

    SHA1

    24538f128c85d8a1101b6366fb354ef95ab35728

    SHA256

    3c161ef5d086ae7c0665d10afc77e281c7f6a874fd48ab6fb49f98cd54fbdba4

    SHA512

    93e49357b233b27a49d9b4d72cbfe2871ca52c537c2ccff8703823a9ff32ad849bd15805744b0901b5fcf506f74fc59435591b30fe04d02bd7efe4b503c74822

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    18247dcae3cda658d8d063a7d139c033

    SHA1

    57fe3e11cde4e5fcf7fa44f0b9392a45b7423b36

    SHA256

    8a06a6462131468619467c76c370aff3844efd6455b4ef8c5ac246c426e392bf

    SHA512

    4e5ad31d96eac381584917446bd162d245d8993d7854c6bba6a41fd0cbe768ced4acc55b412d51cd4013d543afaca8c09904bf8ffec4d712751acabaa5c2388f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1f7ad5ded7de90610e1351ddec3c9b6d

    SHA1

    259600fc70640da427226750096d95e3c3e27ddc

    SHA256

    54ff911bd1bf1e0c53270c41f740808f136cd9dcf65c65e132834b2a18ce7811

    SHA512

    9c0b933498757fb7225a226bb711cf3a5928b31725a71de7f7e17ef54567b63464ce745c7c531bf1a4e2250c843b53361fe5d9a6c2cc9871b4c4876eca54b804

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e79d3557b6e6be89ee99a4c7663aaf8c

    SHA1

    8730f831b3c820b0ac24f3dc8e328b763ae5c89c

    SHA256

    aeaf0c2ec79b8d2828464acadc9ffd62d20469b58013e16f9a749be5c760dea2

    SHA512

    1ba7202885d9a5b60c52a488f963cf041f2cb594e176d4005cfab002f34f0187601e4eb2cca2da047909aec47fe5d726aa35e1dce1d5994a10e6e850a0d393d1

  • C:\Users\Admin\AppData\Local\Temp\CabC5FF.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarC612.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    116KB

    MD5

    93cc9e4da1b4dcee7a580b1ed74850e5

    SHA1

    c0a406ef0a9fcf2d7183d8b0f26a5651d08803e9

    SHA256

    f9bb5b6d1a3eafa316fc203bf61456b80098d0f5599749cf49fec296c64b84d6

    SHA512

    6294c70e3982357fa6e1f66032bbfb904ab03f671c4411053d3bbae8ee908e38b2d9ae3f87f82a908dff43e97c90b0d539fd55f9db967adbd72d95ccf3d0f1ff

  • memory/1996-177-0x00000000745F0000-0x0000000074B9B000-memory.dmp

    Filesize

    5.7MB

  • memory/1996-0-0x00000000745F1000-0x00000000745F2000-memory.dmp

    Filesize

    4KB

  • memory/1996-1-0x00000000745F0000-0x0000000074B9B000-memory.dmp

    Filesize

    5.7MB

  • memory/2704-341-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2704-344-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2704-343-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB