Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 10:06

General

  • Target

    178bd89f9113e4ca4f35458e9c779116.exe

  • Size

    117KB

  • MD5

    178bd89f9113e4ca4f35458e9c779116

  • SHA1

    f2b45ce58f29f18964a031578ddff51ab52033d2

  • SHA256

    bf2de56ca9ce6fc0b83d911ea86356d3338823d33630556de10878aeb3de0430

  • SHA512

    20b05ab4e9239f1d8fbdb309863913f0e0d47682b28da78a34341edce3bcf6c16f738682a47946eaf8a23851eba39941704bd7d0ed2ff3f5fd40dab6ead540df

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZR:P5eznsjsguGDFqGZ2rDLH

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe
    "C:\Users\Admin\AppData\Local\Temp\178bd89f9113e4ca4f35458e9c779116.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    bc06b9f863d0f052d3b1ba9b0ca150ca

    SHA1

    a8d702229e3b52145eec97c844a8a7bd91d34ace

    SHA256

    4e81f699a44155d1ff65fad375889de7cd3cde28e2dd2654e094b00b69df8b1f

    SHA512

    e6a03c357d2850e8a5b2a482f67d1e1d66192ff5e4b1c1184de9abf230c47b6f47d489be429cdfb300bf3950fd8cfc2938a542d2c33e78740116c9f9fe36735f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1cf58dac02f173f3b68fba5e54572fbc

    SHA1

    4f1f18d519b916dcd32aa1aa3a4b9abbff10e6f6

    SHA256

    2a83eb4fc0050b22ecb830188d96876e03a37c775103146272b062f114781d6a

    SHA512

    5b021d2a780445c4c787e9985dfae0db7baab69b170186941640e5d3ad2f20f18b6baebac42995438f03232ee65f78972c6563a4841e1420fe182f0a03b6590c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d4db0ab61d8ee2ba96aa0fc59c5eddd2

    SHA1

    34586dbe6c90a4ffd670b7a40a9550305d0ab661

    SHA256

    c4f0a6b459eb97ae73fbd5784141bd696364a4a127199bec33f776f2a2a694af

    SHA512

    3e0780f202992d2904aa32a47a68e3892f14a100451400d30e1d8c98f4918eaa73bc6f1b43b195df809ba1222cf280ca6c7f0d3d96cb2b1f41a367addb6ed584

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d89973469a029e4a025a8cd132be1f67

    SHA1

    79a9bdf071f22e4bf27415b522e4bfdc7efd7aaa

    SHA256

    a95f084f6107c6051b004b587df8f6f11f7b00d546696f6867acde6653c0b11d

    SHA512

    5061c94f8f1e9b32116f6e94c0a081b800a2dd0b5d475a5c97f5c5342785feb7bea710b9ef70ae61b6caa1e94e05c623b0c6a462fe6b0f581cb885e4c69c947a

  • C:\Users\Admin\AppData\Local\Temp\CabDC2E.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarDC60.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    117KB

    MD5

    eeff4123459c01d0ece1bbb2f87bdd9f

    SHA1

    54df20b41bbd1073d59eadee7969ef6867087026

    SHA256

    25749b7f80a2ea01415cf0ba49d9855f3fe6f8d7fab4530eb84b58581c07ab49

    SHA512

    d7e9db947caca6805cb6571dfae694acfd8afd5624a540e39a6d91d2be334f3ec73610977fe607a10ffec5b40c37c462ac6e9538f1962b9f0a1ee2b313acbea1

  • memory/2628-167-0x0000000074EF0000-0x000000007549B000-memory.dmp

    Filesize

    5.7MB

  • memory/2628-178-0x0000000074EF0000-0x000000007549B000-memory.dmp

    Filesize

    5.7MB

  • memory/2628-165-0x0000000074EF0000-0x000000007549B000-memory.dmp

    Filesize

    5.7MB

  • memory/2628-0-0x0000000074EF1000-0x0000000074EF2000-memory.dmp

    Filesize

    4KB

  • memory/2628-9-0x0000000074EF0000-0x000000007549B000-memory.dmp

    Filesize

    5.7MB

  • memory/2628-1-0x0000000074EF0000-0x000000007549B000-memory.dmp

    Filesize

    5.7MB

  • memory/2748-347-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2748-346-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2748-344-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB