Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-08-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
178bd89f9113e4ca4f35458e9c779116.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
178bd89f9113e4ca4f35458e9c779116.exe
Resource
win10v2004-20240802-en
General
-
Target
178bd89f9113e4ca4f35458e9c779116.exe
-
Size
117KB
-
MD5
178bd89f9113e4ca4f35458e9c779116
-
SHA1
f2b45ce58f29f18964a031578ddff51ab52033d2
-
SHA256
bf2de56ca9ce6fc0b83d911ea86356d3338823d33630556de10878aeb3de0430
-
SHA512
20b05ab4e9239f1d8fbdb309863913f0e0d47682b28da78a34341edce3bcf6c16f738682a47946eaf8a23851eba39941704bd7d0ed2ff3f5fd40dab6ead540df
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZR:P5eznsjsguGDFqGZ2rDLH
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2972 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2160 chargeable.exe 2748 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
178bd89f9113e4ca4f35458e9c779116.exepid process 2628 178bd89f9113e4ca4f35458e9c779116.exe 2628 178bd89f9113e4ca4f35458e9c779116.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
178bd89f9113e4ca4f35458e9c779116.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 178bd89f9113e4ca4f35458e9c779116.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\178bd89f9113e4ca4f35458e9c779116.exe" 178bd89f9113e4ca4f35458e9c779116.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2160 set thread context of 2748 2160 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
chargeable.exechargeable.exenetsh.exe178bd89f9113e4ca4f35458e9c779116.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 178bd89f9113e4ca4f35458e9c779116.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe Token: 33 2748 chargeable.exe Token: SeIncBasePriorityPrivilege 2748 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
178bd89f9113e4ca4f35458e9c779116.exechargeable.exechargeable.exedescription pid process target process PID 2628 wrote to memory of 2160 2628 178bd89f9113e4ca4f35458e9c779116.exe chargeable.exe PID 2628 wrote to memory of 2160 2628 178bd89f9113e4ca4f35458e9c779116.exe chargeable.exe PID 2628 wrote to memory of 2160 2628 178bd89f9113e4ca4f35458e9c779116.exe chargeable.exe PID 2628 wrote to memory of 2160 2628 178bd89f9113e4ca4f35458e9c779116.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2160 wrote to memory of 2748 2160 chargeable.exe chargeable.exe PID 2748 wrote to memory of 2972 2748 chargeable.exe netsh.exe PID 2748 wrote to memory of 2972 2748 chargeable.exe netsh.exe PID 2748 wrote to memory of 2972 2748 chargeable.exe netsh.exe PID 2748 wrote to memory of 2972 2748 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe"C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2972
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5bc06b9f863d0f052d3b1ba9b0ca150ca
SHA1a8d702229e3b52145eec97c844a8a7bd91d34ace
SHA2564e81f699a44155d1ff65fad375889de7cd3cde28e2dd2654e094b00b69df8b1f
SHA512e6a03c357d2850e8a5b2a482f67d1e1d66192ff5e4b1c1184de9abf230c47b6f47d489be429cdfb300bf3950fd8cfc2938a542d2c33e78740116c9f9fe36735f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51cf58dac02f173f3b68fba5e54572fbc
SHA14f1f18d519b916dcd32aa1aa3a4b9abbff10e6f6
SHA2562a83eb4fc0050b22ecb830188d96876e03a37c775103146272b062f114781d6a
SHA5125b021d2a780445c4c787e9985dfae0db7baab69b170186941640e5d3ad2f20f18b6baebac42995438f03232ee65f78972c6563a4841e1420fe182f0a03b6590c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d4db0ab61d8ee2ba96aa0fc59c5eddd2
SHA134586dbe6c90a4ffd670b7a40a9550305d0ab661
SHA256c4f0a6b459eb97ae73fbd5784141bd696364a4a127199bec33f776f2a2a694af
SHA5123e0780f202992d2904aa32a47a68e3892f14a100451400d30e1d8c98f4918eaa73bc6f1b43b195df809ba1222cf280ca6c7f0d3d96cb2b1f41a367addb6ed584
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d89973469a029e4a025a8cd132be1f67
SHA179a9bdf071f22e4bf27415b522e4bfdc7efd7aaa
SHA256a95f084f6107c6051b004b587df8f6f11f7b00d546696f6867acde6653c0b11d
SHA5125061c94f8f1e9b32116f6e94c0a081b800a2dd0b5d475a5c97f5c5342785feb7bea710b9ef70ae61b6caa1e94e05c623b0c6a462fe6b0f581cb885e4c69c947a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
117KB
MD5eeff4123459c01d0ece1bbb2f87bdd9f
SHA154df20b41bbd1073d59eadee7969ef6867087026
SHA25625749b7f80a2ea01415cf0ba49d9855f3fe6f8d7fab4530eb84b58581c07ab49
SHA512d7e9db947caca6805cb6571dfae694acfd8afd5624a540e39a6d91d2be334f3ec73610977fe607a10ffec5b40c37c462ac6e9538f1962b9f0a1ee2b313acbea1