Analysis
-
max time kernel
115s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 01:34
Static task
static1
Behavioral task
behavioral1
Sample
f6529f32ceeeda3431eb57c098fa70c0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f6529f32ceeeda3431eb57c098fa70c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
f6529f32ceeeda3431eb57c098fa70c0N.exe
-
Size
115KB
-
MD5
f6529f32ceeeda3431eb57c098fa70c0
-
SHA1
3f14ea80f746ca730f7a971561e328a49f6cd6b9
-
SHA256
75cc2a11099a21161d15e32f68924608c4f0164baa122793c576fa3eacfce461
-
SHA512
d2fb8c09905d0a6c639a4b4d34c46cf9a2bdedd148b97072cbbf342abb37e1ae7c74041dda85390550d0d08c8b89f33bb2d0fa493f285a16e513a3d42c047cce
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6U1:P5eznsjsguGDFqGZ2ri8
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2836 netsh.exe -
Executes dropped EXE 3 IoCs
Processes:
chargeable.exechargeable.exechargeable.exepid process 2892 chargeable.exe 2428 chargeable.exe 2944 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
f6529f32ceeeda3431eb57c098fa70c0N.exepid process 1528 f6529f32ceeeda3431eb57c098fa70c0N.exe 1528 f6529f32ceeeda3431eb57c098fa70c0N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f6529f32ceeeda3431eb57c098fa70c0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" f6529f32ceeeda3431eb57c098fa70c0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f6529f32ceeeda3431eb57c098fa70c0N.exe" f6529f32ceeeda3431eb57c098fa70c0N.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
chargeable.exedescription pid process target process PID 2892 set thread context of 2428 2892 chargeable.exe chargeable.exe PID 2892 set thread context of 2944 2892 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
chargeable.exenetsh.exef6529f32ceeeda3431eb57c098fa70c0N.exechargeable.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f6529f32ceeeda3431eb57c098fa70c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe Token: 33 2428 chargeable.exe Token: SeIncBasePriorityPrivilege 2428 chargeable.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
f6529f32ceeeda3431eb57c098fa70c0N.exechargeable.exechargeable.exedescription pid process target process PID 1528 wrote to memory of 2892 1528 f6529f32ceeeda3431eb57c098fa70c0N.exe chargeable.exe PID 1528 wrote to memory of 2892 1528 f6529f32ceeeda3431eb57c098fa70c0N.exe chargeable.exe PID 1528 wrote to memory of 2892 1528 f6529f32ceeeda3431eb57c098fa70c0N.exe chargeable.exe PID 1528 wrote to memory of 2892 1528 f6529f32ceeeda3431eb57c098fa70c0N.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2428 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2892 wrote to memory of 2944 2892 chargeable.exe chargeable.exe PID 2428 wrote to memory of 2836 2428 chargeable.exe netsh.exe PID 2428 wrote to memory of 2836 2428 chargeable.exe netsh.exe PID 2428 wrote to memory of 2836 2428 chargeable.exe netsh.exe PID 2428 wrote to memory of 2836 2428 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6529f32ceeeda3431eb57c098fa70c0N.exe"C:\Users\Admin\AppData\Local\Temp\f6529f32ceeeda3431eb57c098fa70c0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
PID:2944 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2836
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD576610af55777b27351209d0b2e938e40
SHA1486b77fd2b7ee98e543dcdc3e241aaa72a8ab621
SHA2563b01f912e1608a9e290080f5b90d3d2a106f2c294f75abade08cffb04be2a284
SHA512ec2b11dc29b37d6f1646d95857db19e5cefaf5276f1a583ae46644b4a767ede6f70b963fe481a9410530c9b1d73241bb67071401bec1c4485c3b4dfafb807333
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5525bbb6018337d69610d25086d270462
SHA1a599f688d6bac9cb8b5d9e60f5615eca4fc3d0f8
SHA2561387df534b807ffda2db171bcd707bd6fde5341665d2ea0cca2ab1b8c9173904
SHA51286a97bfc131872c14bc858ddb44abf8c0bfd66c85d2656bdad38348bc3658165b19dc28478adb931e2999bd91ab71ca364b2022faf2e3e74720de61342c14084
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cd8c138cff5309afe31137f0a8c5bb75
SHA1a4f5d465d4a587ecf8acdc9b39e79d923444025e
SHA2565d862a5971b866507d6e684beb43ce9f057203af102f2d9ec9e631924cf1fb71
SHA512dcd544d32bb6806515c77de9179534f8b644442194efac73f53374a3e918eab9d7d5f3b8a998339fdacb717419357e43945c9c48bad500b5154c812b705a875e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b31a1b964f30994137129b650bb2f7d
SHA1b77baa4778fa8bfc69c084fc1a587842bd3f97f6
SHA25634b6f8006669d39f7c7cdfd1c566f61ec2e5b7405591d012132494c67c10db1b
SHA51221e49865245cd88c179ba3026a330602278ad2b375f184d6aab99b609374122ad3b3445a92de784e0ec73735d3f5b57bee85ba2d6e391abc376f1f5dc048b3c7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
115KB
MD558d185a3bbaf5b8efe37f81290d12dc6
SHA126d0efe7c4b01a824c4f6fd9e90be1e08a3abef7
SHA2562e9d7c96fb93cd33b37e7d54a38b7664257fb9c352ea1b47f5f2fd6d3d3fb79a
SHA512e89c47f0e533e40548fc0130c5ec3b3ab48d3e15e49b3cc06fc8f48966a67fc28eb9c4a7044ed49ff9fffff1cc16b3bb6b7044ed227f984dfee4df8837603ebe