Analysis
-
max time kernel
114s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 17:53
Static task
static1
Behavioral task
behavioral1
Sample
965c9b04307de522482b70a7b0b79b70N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
965c9b04307de522482b70a7b0b79b70N.exe
Resource
win10v2004-20240802-en
General
-
Target
965c9b04307de522482b70a7b0b79b70N.exe
-
Size
117KB
-
MD5
965c9b04307de522482b70a7b0b79b70
-
SHA1
861e28d528681e564220286efa9d2f6fe5e3304a
-
SHA256
ee4a94267c84c59513a4ce4055af99a021c9a6d18c543cb6cfcd1d6252fc069b
-
SHA512
b1ca8d391f5065086d029122e8cb1c236760ef9d64bf9c014627fcee3224816e010de4bdfaa138ab36c814b06acf21731266fee3b520d72bbaaeec2aac3c7312
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLM:P5eznsjsguGDFqGZ2rDLM
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2760 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 1372 chargeable.exe 2988 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
965c9b04307de522482b70a7b0b79b70N.exepid process 2120 965c9b04307de522482b70a7b0b79b70N.exe 2120 965c9b04307de522482b70a7b0b79b70N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
965c9b04307de522482b70a7b0b79b70N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 965c9b04307de522482b70a7b0b79b70N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\965c9b04307de522482b70a7b0b79b70N.exe" 965c9b04307de522482b70a7b0b79b70N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 1372 set thread context of 2988 1372 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
965c9b04307de522482b70a7b0b79b70N.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 965c9b04307de522482b70a7b0b79b70N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe Token: 33 2988 chargeable.exe Token: SeIncBasePriorityPrivilege 2988 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
965c9b04307de522482b70a7b0b79b70N.exechargeable.exechargeable.exedescription pid process target process PID 2120 wrote to memory of 1372 2120 965c9b04307de522482b70a7b0b79b70N.exe chargeable.exe PID 2120 wrote to memory of 1372 2120 965c9b04307de522482b70a7b0b79b70N.exe chargeable.exe PID 2120 wrote to memory of 1372 2120 965c9b04307de522482b70a7b0b79b70N.exe chargeable.exe PID 2120 wrote to memory of 1372 2120 965c9b04307de522482b70a7b0b79b70N.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 1372 wrote to memory of 2988 1372 chargeable.exe chargeable.exe PID 2988 wrote to memory of 2760 2988 chargeable.exe netsh.exe PID 2988 wrote to memory of 2760 2988 chargeable.exe netsh.exe PID 2988 wrote to memory of 2760 2988 chargeable.exe netsh.exe PID 2988 wrote to memory of 2760 2988 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\965c9b04307de522482b70a7b0b79b70N.exe"C:\Users\Admin\AppData\Local\Temp\965c9b04307de522482b70a7b0b79b70N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5667802768caabca196a37bb22a0104f6
SHA1e24e5d3cd54255a3933c1d779c675299ca26e944
SHA256953ccd26739877dc9d5e0d468d3d6b9bc6f229c10decf2207c34b3a4c9b3a821
SHA512716547efba4b4542823f49636e731744f2269e4450815ea6434922f64c8d9a8879f2ac3e830313e2d9d282a39d6aee0c0bdb7cd465e577dff77b1fbc23a02bf6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c37f49fed2c3170c243abc12368f05b7
SHA1f45e347aecd736ba5761833eeebb118b894f97c1
SHA256bdfcd70343cb67144167f9aeff1f3b903ba76999f56b45b4d1947f64cfe66a2a
SHA512a48a4c0cbd4511fb8a579aa6acf08b3c2c98aec225a070d53b32e68393c6875ad6f2888ffe7b2d403351cef4d0c53c461140b99c6406040be8a1eeff31e19a42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590ebc876e3ba50611988941b059220b0
SHA17c9d98552b087cb39ebe6fcf0ffebf8ef2878bf8
SHA2563bdfd4c7f7e45544b244767a143f863d622d3ff83cf427fd5797da24f4e3a3bb
SHA512f85495964a2b9b2541010d8462725988f876ca3a69b18f1fecf0665d9ce63c3e410da479644ab84bb559f73a973251379556d5bcafe74e0d4807552ad2332f44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52a9db3a99e0b06566c710576979aa83f
SHA10a76bb4434d2eab6b6b370d4a1c3f63998eca3c9
SHA25617d1dae8fd0e7834f00f6cd52333e23fcda6df5735ffbd737fdf7a38396feb6a
SHA51232139d6a066c316b2b4deff144f88f694897b6a1d7f876cfe360e27b985bf41bdd5c77b75a478f04d8961fed0ef6fe60514baeefc6206c02abb8d7f9127e5f14
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
117KB
MD599f4513e5474f149506ad629a14f5023
SHA1be88ec6a0c342d567a70b06a8d402e6668c5c42c
SHA256383ea89afc6e03498748b237879730efe64fa1d36f3276b4ecf7e2e1e695e7c7
SHA51231d47e9611be892e8e8b0fb64970ade46d5e7c08cf3fa8c7c010a9f55acd9f190f19241c3e9cc36bc80f508343d113b92424a44b8d95d2e2a66f850c06e4673f