Analysis

  • max time kernel
    114s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 17:53

General

  • Target

    965c9b04307de522482b70a7b0b79b70N.exe

  • Size

    117KB

  • MD5

    965c9b04307de522482b70a7b0b79b70

  • SHA1

    861e28d528681e564220286efa9d2f6fe5e3304a

  • SHA256

    ee4a94267c84c59513a4ce4055af99a021c9a6d18c543cb6cfcd1d6252fc069b

  • SHA512

    b1ca8d391f5065086d029122e8cb1c236760ef9d64bf9c014627fcee3224816e010de4bdfaa138ab36c814b06acf21731266fee3b520d72bbaaeec2aac3c7312

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLM:P5eznsjsguGDFqGZ2rDLM

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\965c9b04307de522482b70a7b0b79b70N.exe
    "C:\Users\Admin\AppData\Local\Temp\965c9b04307de522482b70a7b0b79b70N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    667802768caabca196a37bb22a0104f6

    SHA1

    e24e5d3cd54255a3933c1d779c675299ca26e944

    SHA256

    953ccd26739877dc9d5e0d468d3d6b9bc6f229c10decf2207c34b3a4c9b3a821

    SHA512

    716547efba4b4542823f49636e731744f2269e4450815ea6434922f64c8d9a8879f2ac3e830313e2d9d282a39d6aee0c0bdb7cd465e577dff77b1fbc23a02bf6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c37f49fed2c3170c243abc12368f05b7

    SHA1

    f45e347aecd736ba5761833eeebb118b894f97c1

    SHA256

    bdfcd70343cb67144167f9aeff1f3b903ba76999f56b45b4d1947f64cfe66a2a

    SHA512

    a48a4c0cbd4511fb8a579aa6acf08b3c2c98aec225a070d53b32e68393c6875ad6f2888ffe7b2d403351cef4d0c53c461140b99c6406040be8a1eeff31e19a42

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    90ebc876e3ba50611988941b059220b0

    SHA1

    7c9d98552b087cb39ebe6fcf0ffebf8ef2878bf8

    SHA256

    3bdfd4c7f7e45544b244767a143f863d622d3ff83cf427fd5797da24f4e3a3bb

    SHA512

    f85495964a2b9b2541010d8462725988f876ca3a69b18f1fecf0665d9ce63c3e410da479644ab84bb559f73a973251379556d5bcafe74e0d4807552ad2332f44

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2a9db3a99e0b06566c710576979aa83f

    SHA1

    0a76bb4434d2eab6b6b370d4a1c3f63998eca3c9

    SHA256

    17d1dae8fd0e7834f00f6cd52333e23fcda6df5735ffbd737fdf7a38396feb6a

    SHA512

    32139d6a066c316b2b4deff144f88f694897b6a1d7f876cfe360e27b985bf41bdd5c77b75a478f04d8961fed0ef6fe60514baeefc6206c02abb8d7f9127e5f14

  • C:\Users\Admin\AppData\Local\Temp\CabAD42.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarAD54.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    117KB

    MD5

    99f4513e5474f149506ad629a14f5023

    SHA1

    be88ec6a0c342d567a70b06a8d402e6668c5c42c

    SHA256

    383ea89afc6e03498748b237879730efe64fa1d36f3276b4ecf7e2e1e695e7c7

    SHA512

    31d47e9611be892e8e8b0fb64970ade46d5e7c08cf3fa8c7c010a9f55acd9f190f19241c3e9cc36bc80f508343d113b92424a44b8d95d2e2a66f850c06e4673f

  • memory/2120-176-0x0000000074AC0000-0x000000007506B000-memory.dmp

    Filesize

    5.7MB

  • memory/2120-166-0x0000000074AC0000-0x000000007506B000-memory.dmp

    Filesize

    5.7MB

  • memory/2120-0-0x0000000074AC1000-0x0000000074AC2000-memory.dmp

    Filesize

    4KB

  • memory/2120-1-0x0000000074AC0000-0x000000007506B000-memory.dmp

    Filesize

    5.7MB

  • memory/2988-345-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2988-344-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2988-342-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB