Analysis

  • max time kernel
    115s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-08-2024 01:34

General

  • Target

    f6529f32ceeeda3431eb57c098fa70c0N.exe

  • Size

    115KB

  • MD5

    f6529f32ceeeda3431eb57c098fa70c0

  • SHA1

    3f14ea80f746ca730f7a971561e328a49f6cd6b9

  • SHA256

    75cc2a11099a21161d15e32f68924608c4f0164baa122793c576fa3eacfce461

  • SHA512

    d2fb8c09905d0a6c639a4b4d34c46cf9a2bdedd148b97072cbbf342abb37e1ae7c74041dda85390550d0d08c8b89f33bb2d0fa493f285a16e513a3d42c047cce

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6U1:P5eznsjsguGDFqGZ2ri8

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6529f32ceeeda3431eb57c098fa70c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f6529f32ceeeda3431eb57c098fa70c0N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        PID:2944
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    76610af55777b27351209d0b2e938e40

    SHA1

    486b77fd2b7ee98e543dcdc3e241aaa72a8ab621

    SHA256

    3b01f912e1608a9e290080f5b90d3d2a106f2c294f75abade08cffb04be2a284

    SHA512

    ec2b11dc29b37d6f1646d95857db19e5cefaf5276f1a583ae46644b4a767ede6f70b963fe481a9410530c9b1d73241bb67071401bec1c4485c3b4dfafb807333

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    525bbb6018337d69610d25086d270462

    SHA1

    a599f688d6bac9cb8b5d9e60f5615eca4fc3d0f8

    SHA256

    1387df534b807ffda2db171bcd707bd6fde5341665d2ea0cca2ab1b8c9173904

    SHA512

    86a97bfc131872c14bc858ddb44abf8c0bfd66c85d2656bdad38348bc3658165b19dc28478adb931e2999bd91ab71ca364b2022faf2e3e74720de61342c14084

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cd8c138cff5309afe31137f0a8c5bb75

    SHA1

    a4f5d465d4a587ecf8acdc9b39e79d923444025e

    SHA256

    5d862a5971b866507d6e684beb43ce9f057203af102f2d9ec9e631924cf1fb71

    SHA512

    dcd544d32bb6806515c77de9179534f8b644442194efac73f53374a3e918eab9d7d5f3b8a998339fdacb717419357e43945c9c48bad500b5154c812b705a875e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7b31a1b964f30994137129b650bb2f7d

    SHA1

    b77baa4778fa8bfc69c084fc1a587842bd3f97f6

    SHA256

    34b6f8006669d39f7c7cdfd1c566f61ec2e5b7405591d012132494c67c10db1b

    SHA512

    21e49865245cd88c179ba3026a330602278ad2b375f184d6aab99b609374122ad3b3445a92de784e0ec73735d3f5b57bee85ba2d6e391abc376f1f5dc048b3c7

  • C:\Users\Admin\AppData\Local\Temp\CabA5A4.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarA5E5.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    115KB

    MD5

    58d185a3bbaf5b8efe37f81290d12dc6

    SHA1

    26d0efe7c4b01a824c4f6fd9e90be1e08a3abef7

    SHA256

    2e9d7c96fb93cd33b37e7d54a38b7664257fb9c352ea1b47f5f2fd6d3d3fb79a

    SHA512

    e89c47f0e533e40548fc0130c5ec3b3ab48d3e15e49b3cc06fc8f48966a67fc28eb9c4a7044ed49ff9fffff1cc16b3bb6b7044ed227f984dfee4df8837603ebe

  • memory/1528-176-0x0000000074470000-0x0000000074A1B000-memory.dmp

    Filesize

    5.7MB

  • memory/1528-166-0x0000000074470000-0x0000000074A1B000-memory.dmp

    Filesize

    5.7MB

  • memory/1528-0-0x0000000074471000-0x0000000074472000-memory.dmp

    Filesize

    4KB

  • memory/1528-1-0x0000000074470000-0x0000000074A1B000-memory.dmp

    Filesize

    5.7MB

  • memory/2428-347-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2428-346-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2428-342-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB