Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 08:20
Static task
static1
Behavioral task
behavioral1
Sample
e92558ae38e7e4265d09e8c75eea1fe0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e92558ae38e7e4265d09e8c75eea1fe0N.exe
Resource
win10v2004-20240802-en
General
-
Target
e92558ae38e7e4265d09e8c75eea1fe0N.exe
-
Size
118KB
-
MD5
e92558ae38e7e4265d09e8c75eea1fe0
-
SHA1
5de2f64c6126771c1b1b1c7e2441e709bd008a97
-
SHA256
3d90e73d4a2d7b46de5897b1db7fdbca33b49e713bd215743f76d582b547a230
-
SHA512
2cd8e1cc4eee377b92cb0d8ab883a03355929fad404863c6e77276d0be4c8bdf232a4f7dc866e3c36ae38faca1f25ed141ddeb97c1ca08d5367bb71e31cd5bab
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FgE:P5eznsjsguGDFqGZ2rDL14FgE
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2852 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 584 chargeable.exe 2836 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
e92558ae38e7e4265d09e8c75eea1fe0N.exepid process 2520 e92558ae38e7e4265d09e8c75eea1fe0N.exe 2520 e92558ae38e7e4265d09e8c75eea1fe0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e92558ae38e7e4265d09e8c75eea1fe0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" e92558ae38e7e4265d09e8c75eea1fe0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e92558ae38e7e4265d09e8c75eea1fe0N.exe" e92558ae38e7e4265d09e8c75eea1fe0N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 584 set thread context of 2836 584 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e92558ae38e7e4265d09e8c75eea1fe0N.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e92558ae38e7e4265d09e8c75eea1fe0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe Token: 33 2836 chargeable.exe Token: SeIncBasePriorityPrivilege 2836 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e92558ae38e7e4265d09e8c75eea1fe0N.exechargeable.exechargeable.exedescription pid process target process PID 2520 wrote to memory of 584 2520 e92558ae38e7e4265d09e8c75eea1fe0N.exe chargeable.exe PID 2520 wrote to memory of 584 2520 e92558ae38e7e4265d09e8c75eea1fe0N.exe chargeable.exe PID 2520 wrote to memory of 584 2520 e92558ae38e7e4265d09e8c75eea1fe0N.exe chargeable.exe PID 2520 wrote to memory of 584 2520 e92558ae38e7e4265d09e8c75eea1fe0N.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 584 wrote to memory of 2836 584 chargeable.exe chargeable.exe PID 2836 wrote to memory of 2852 2836 chargeable.exe netsh.exe PID 2836 wrote to memory of 2852 2836 chargeable.exe netsh.exe PID 2836 wrote to memory of 2852 2836 chargeable.exe netsh.exe PID 2836 wrote to memory of 2852 2836 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e92558ae38e7e4265d09e8c75eea1fe0N.exe"C:\Users\Admin\AppData\Local\Temp\e92558ae38e7e4265d09e8c75eea1fe0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5a4f92a0e07557d584cd714ab1d72f2e3
SHA18e0c45f99682020be2ce2611c853fe94d2252ce1
SHA256318d41bb139b51f015458c2a03943da7024b0514ce06bc1705e5fe0fe84e789a
SHA512acb1c046b3abf99bf58527aa20250e21ce69d37129caa0977fe58395bf4f94c0c5c9771e26ad7d95cd6af65bef903f2ec6fe2ed541942cf046eadac133175de1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f1cfda64e3b1f22e4f0cd53db7563361
SHA108f1ba3b43d78dbcb3b85fb328b30bd12520e7d2
SHA2562555d257e434154e078b9291595d12bfa38807f44193542f1f29ae4122a9354e
SHA512d3369ed236928ec08fffbd211eb750debe4bd59ab540a7541dfbf013878ce9190cda8a837b357976b5ebf831e22dd8282cfbce094dba426065863edb53295712
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508284a63d53e4a72abec09d7ff597d98
SHA12f921548463ad2bafdeb48377eb9872442d77bab
SHA256cfe0447028388e143fca537bda751122a5d2165dd90db0f64d9d8dac0f734eeb
SHA512143770fbd15527026ca06b72194150582e9f564c135dc506480c18013380c7747e92bd8e8cdf237a761d9f8147beab5d64222896f3d43388cc19d424deae7b2f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f5efa260caa0b86d7ab9ec789baf6d69
SHA181714cff8f4179e330ae32095ed9b8812f66f916
SHA2565e399eb68259bc4334549aeeccb3003141a0918a537cdee33c5ab00199c7250e
SHA512f6cd81bcb918c6a439c4a8b49f96059ab9686d9f95ca62f88b9297edfa1174cd81ae227ffc81e688c659a1e140fd8c9e3ead5cd8243c1abbeee6953935f4023e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
118KB
MD50781d9d432f061579b908f4af17092ab
SHA10f98bdb0dc4e9448b66ab5f9e12dde15e3bd1a35
SHA256b82d4e1d2d2d21bc7a38f54f746206c942dcfecb75cc6ad868cb3d96aabfe8da
SHA51268735a32cca482bd53a5c36cf71fde7a8187732c3b8d8a3f5badeb60854fda18400a93da3ca67cdb9591e01cd43eee2724db989b509eed75d157c6c2f4a065e1