Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16-08-2024 19:29

General

  • Target

    eb2639a63a2f15de26bcd921fcb27140N.exe

  • Size

    118KB

  • MD5

    eb2639a63a2f15de26bcd921fcb27140

  • SHA1

    3472a08c4361729ced3df8a78a416bf6bb1f1a38

  • SHA256

    3b453aa11bb950c800159371c084919acfab0c68affad8a913330d16cf11125b

  • SHA512

    56cd625891b4f83e9463510cafb7cfe95ae1bbf41a546e60cf5b0ae17994e8dfcf34c2df0ba1e40f7cc8785636c19c1a277cc4aa382e01f4d88609d1479295b9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLX:P5eznsjsguGDFqGZ2rDLX

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb2639a63a2f15de26bcd921fcb27140N.exe
    "C:\Users\Admin\AppData\Local\Temp\eb2639a63a2f15de26bcd921fcb27140N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2868
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    dd608d09eaedac2b723ab97a230ba887

    SHA1

    5ecedb48a5ba8587b31fe02baaaabca798ea22df

    SHA256

    f539187fe46ef050796459deef3567091e37e4989206ad09ef8b11b5f4382c90

    SHA512

    dafc32a450dbd4e3dd4b3973da39a766612e01d93df4d55b8a236486214b9912ebcf051dafd3163c689dc401596cf85910c11b2ae4ea54c22d5a13ec6b51cfe0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f03ff30866c1efee7995f1bedaa21007

    SHA1

    e2efa0d98c53c5926dd592afc1f85daabdc182d2

    SHA256

    8499be3ccda862ff58a497a3bfca9a78a431932fc44c3600c45d2adfebb92a06

    SHA512

    0ac85222d447c4420145f9eb7f85864af4644a6ed58a5fd99d95407c618f5ad292ccb6b545489744e70b4bd2cb3c007c921e6de10c1ec9adc2f2bfc23aa41fa5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ed711462220d4327e812c6446fc1a5b4

    SHA1

    b24f23c7fb15c899cd1b0c9375e407b7ad3f54f5

    SHA256

    6cdf7d966540b6d1e84cc6149b6526a041c113509fa5ae734dd552b4d3802412

    SHA512

    dde245c411bec3ce44781fe4c6c724fd05ecf34836c60c852f36975ba8b5067107e86eb9a8c976aa1c923590f0c2ccfe3047823a7078626715b06b3020f09061

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0e544db81f3b127be16551511f5223d6

    SHA1

    aa5283834f2f7efdb3a0e90a311e3ad8c1e03b92

    SHA256

    c09155d6279d06ea6275addbc0dedefc1c5b90fa3798827c4960bdccca6bfe2c

    SHA512

    4fd2f4f11d79e2f5799285fd727f60b375fc11e9e969565d8451dee9a19155709393779852dac4325e0a4c088daf486795a00e1f11f752bf707d53eb0a475800

  • C:\Users\Admin\AppData\Local\Temp\CabD5F7.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarD609.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    118KB

    MD5

    c5a133672785495f4dcd6ac274239530

    SHA1

    f092f551aab8e3c2d854aef1e1f4b3c65f646ba5

    SHA256

    5c54084977e2dc01556cdf18626129b757788fac0c36aa4ae1cb7e1b63b69c60

    SHA512

    3710adda08397b35370f43319aafbee45aab51288841c8f37f9349583cbbd2938beddd99516d2aee878762cefbcb113d720be670574965139a724c4c71f028ff

  • memory/2536-167-0x0000000074C20000-0x00000000751CB000-memory.dmp

    Filesize

    5.7MB

  • memory/2536-177-0x0000000074C20000-0x00000000751CB000-memory.dmp

    Filesize

    5.7MB

  • memory/2536-2-0x0000000074C20000-0x00000000751CB000-memory.dmp

    Filesize

    5.7MB

  • memory/2536-1-0x0000000074C20000-0x00000000751CB000-memory.dmp

    Filesize

    5.7MB

  • memory/2536-0-0x0000000074C21000-0x0000000074C22000-memory.dmp

    Filesize

    4KB

  • memory/2868-343-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2868-346-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2868-345-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB