Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 08:20

General

  • Target

    e92558ae38e7e4265d09e8c75eea1fe0N.exe

  • Size

    118KB

  • MD5

    e92558ae38e7e4265d09e8c75eea1fe0

  • SHA1

    5de2f64c6126771c1b1b1c7e2441e709bd008a97

  • SHA256

    3d90e73d4a2d7b46de5897b1db7fdbca33b49e713bd215743f76d582b547a230

  • SHA512

    2cd8e1cc4eee377b92cb0d8ab883a03355929fad404863c6e77276d0be4c8bdf232a4f7dc866e3c36ae38faca1f25ed141ddeb97c1ca08d5367bb71e31cd5bab

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FgE:P5eznsjsguGDFqGZ2rDL14FgE

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e92558ae38e7e4265d09e8c75eea1fe0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e92558ae38e7e4265d09e8c75eea1fe0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    a4f92a0e07557d584cd714ab1d72f2e3

    SHA1

    8e0c45f99682020be2ce2611c853fe94d2252ce1

    SHA256

    318d41bb139b51f015458c2a03943da7024b0514ce06bc1705e5fe0fe84e789a

    SHA512

    acb1c046b3abf99bf58527aa20250e21ce69d37129caa0977fe58395bf4f94c0c5c9771e26ad7d95cd6af65bef903f2ec6fe2ed541942cf046eadac133175de1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f1cfda64e3b1f22e4f0cd53db7563361

    SHA1

    08f1ba3b43d78dbcb3b85fb328b30bd12520e7d2

    SHA256

    2555d257e434154e078b9291595d12bfa38807f44193542f1f29ae4122a9354e

    SHA512

    d3369ed236928ec08fffbd211eb750debe4bd59ab540a7541dfbf013878ce9190cda8a837b357976b5ebf831e22dd8282cfbce094dba426065863edb53295712

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    08284a63d53e4a72abec09d7ff597d98

    SHA1

    2f921548463ad2bafdeb48377eb9872442d77bab

    SHA256

    cfe0447028388e143fca537bda751122a5d2165dd90db0f64d9d8dac0f734eeb

    SHA512

    143770fbd15527026ca06b72194150582e9f564c135dc506480c18013380c7747e92bd8e8cdf237a761d9f8147beab5d64222896f3d43388cc19d424deae7b2f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f5efa260caa0b86d7ab9ec789baf6d69

    SHA1

    81714cff8f4179e330ae32095ed9b8812f66f916

    SHA256

    5e399eb68259bc4334549aeeccb3003141a0918a537cdee33c5ab00199c7250e

    SHA512

    f6cd81bcb918c6a439c4a8b49f96059ab9686d9f95ca62f88b9297edfa1174cd81ae227ffc81e688c659a1e140fd8c9e3ead5cd8243c1abbeee6953935f4023e

  • C:\Users\Admin\AppData\Local\Temp\Cab8326.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar8339.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    118KB

    MD5

    0781d9d432f061579b908f4af17092ab

    SHA1

    0f98bdb0dc4e9448b66ab5f9e12dde15e3bd1a35

    SHA256

    b82d4e1d2d2d21bc7a38f54f746206c942dcfecb75cc6ad868cb3d96aabfe8da

    SHA512

    68735a32cca482bd53a5c36cf71fde7a8187732c3b8d8a3f5badeb60854fda18400a93da3ca67cdb9591e01cd43eee2724db989b509eed75d157c6c2f4a065e1

  • memory/2520-172-0x0000000074000000-0x00000000745AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2520-190-0x0000000074000000-0x00000000745AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2520-171-0x0000000074000000-0x00000000745AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2520-0-0x0000000074001000-0x0000000074002000-memory.dmp

    Filesize

    4KB

  • memory/2520-2-0x0000000074000000-0x00000000745AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2520-1-0x0000000074000000-0x00000000745AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2836-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2836-351-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2836-350-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB