Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 19:29
Static task
static1
Behavioral task
behavioral1
Sample
eb2639a63a2f15de26bcd921fcb27140N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
eb2639a63a2f15de26bcd921fcb27140N.exe
Resource
win10v2004-20240802-en
General
-
Target
eb2639a63a2f15de26bcd921fcb27140N.exe
-
Size
118KB
-
MD5
eb2639a63a2f15de26bcd921fcb27140
-
SHA1
3472a08c4361729ced3df8a78a416bf6bb1f1a38
-
SHA256
3b453aa11bb950c800159371c084919acfab0c68affad8a913330d16cf11125b
-
SHA512
56cd625891b4f83e9463510cafb7cfe95ae1bbf41a546e60cf5b0ae17994e8dfcf34c2df0ba1e40f7cc8785636c19c1a277cc4aa382e01f4d88609d1479295b9
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLX:P5eznsjsguGDFqGZ2rDLX
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2500 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 1660 chargeable.exe 2868 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
eb2639a63a2f15de26bcd921fcb27140N.exepid process 2536 eb2639a63a2f15de26bcd921fcb27140N.exe 2536 eb2639a63a2f15de26bcd921fcb27140N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
eb2639a63a2f15de26bcd921fcb27140N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" eb2639a63a2f15de26bcd921fcb27140N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eb2639a63a2f15de26bcd921fcb27140N.exe" eb2639a63a2f15de26bcd921fcb27140N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 1660 set thread context of 2868 1660 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
eb2639a63a2f15de26bcd921fcb27140N.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb2639a63a2f15de26bcd921fcb27140N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe Token: 33 2868 chargeable.exe Token: SeIncBasePriorityPrivilege 2868 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
eb2639a63a2f15de26bcd921fcb27140N.exechargeable.exechargeable.exedescription pid process target process PID 2536 wrote to memory of 1660 2536 eb2639a63a2f15de26bcd921fcb27140N.exe chargeable.exe PID 2536 wrote to memory of 1660 2536 eb2639a63a2f15de26bcd921fcb27140N.exe chargeable.exe PID 2536 wrote to memory of 1660 2536 eb2639a63a2f15de26bcd921fcb27140N.exe chargeable.exe PID 2536 wrote to memory of 1660 2536 eb2639a63a2f15de26bcd921fcb27140N.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 1660 wrote to memory of 2868 1660 chargeable.exe chargeable.exe PID 2868 wrote to memory of 2500 2868 chargeable.exe netsh.exe PID 2868 wrote to memory of 2500 2868 chargeable.exe netsh.exe PID 2868 wrote to memory of 2500 2868 chargeable.exe netsh.exe PID 2868 wrote to memory of 2500 2868 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb2639a63a2f15de26bcd921fcb27140N.exe"C:\Users\Admin\AppData\Local\Temp\eb2639a63a2f15de26bcd921fcb27140N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2500
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5dd608d09eaedac2b723ab97a230ba887
SHA15ecedb48a5ba8587b31fe02baaaabca798ea22df
SHA256f539187fe46ef050796459deef3567091e37e4989206ad09ef8b11b5f4382c90
SHA512dafc32a450dbd4e3dd4b3973da39a766612e01d93df4d55b8a236486214b9912ebcf051dafd3163c689dc401596cf85910c11b2ae4ea54c22d5a13ec6b51cfe0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f03ff30866c1efee7995f1bedaa21007
SHA1e2efa0d98c53c5926dd592afc1f85daabdc182d2
SHA2568499be3ccda862ff58a497a3bfca9a78a431932fc44c3600c45d2adfebb92a06
SHA5120ac85222d447c4420145f9eb7f85864af4644a6ed58a5fd99d95407c618f5ad292ccb6b545489744e70b4bd2cb3c007c921e6de10c1ec9adc2f2bfc23aa41fa5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed711462220d4327e812c6446fc1a5b4
SHA1b24f23c7fb15c899cd1b0c9375e407b7ad3f54f5
SHA2566cdf7d966540b6d1e84cc6149b6526a041c113509fa5ae734dd552b4d3802412
SHA512dde245c411bec3ce44781fe4c6c724fd05ecf34836c60c852f36975ba8b5067107e86eb9a8c976aa1c923590f0c2ccfe3047823a7078626715b06b3020f09061
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e544db81f3b127be16551511f5223d6
SHA1aa5283834f2f7efdb3a0e90a311e3ad8c1e03b92
SHA256c09155d6279d06ea6275addbc0dedefc1c5b90fa3798827c4960bdccca6bfe2c
SHA5124fd2f4f11d79e2f5799285fd727f60b375fc11e9e969565d8451dee9a19155709393779852dac4325e0a4c088daf486795a00e1f11f752bf707d53eb0a475800
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
118KB
MD5c5a133672785495f4dcd6ac274239530
SHA1f092f551aab8e3c2d854aef1e1f4b3c65f646ba5
SHA2565c54084977e2dc01556cdf18626129b757788fac0c36aa4ae1cb7e1b63b69c60
SHA5123710adda08397b35370f43319aafbee45aab51288841c8f37f9349583cbbd2938beddd99516d2aee878762cefbcb113d720be670574965139a724c4c71f028ff