Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 21:29
Static task
static1
Behavioral task
behavioral1
Sample
62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe
Resource
win10v2004-20240802-en
General
-
Target
62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe
-
Size
115KB
-
MD5
0fd1d7365b2b05de06efb168426cc01b
-
SHA1
dcaea9116bf266bdc3d57b9f8705033791ddb349
-
SHA256
62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0
-
SHA512
1c02de96a5c28fb7b9ea481188da457583e6c9b2dc31daefca6182e94f7268921627af78eb5efb95b2b478d294f90511fa62447ee056b9ed2646138b4d94d201
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdes:P5eznsjsguGDFqGZ2r9
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3436 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation 62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 4008 chargeable.exe 2172 chargeable.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe" 62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 4008 set thread context of 2172 4008 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe Token: 33 2172 chargeable.exe Token: SeIncBasePriorityPrivilege 2172 chargeable.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exechargeable.exechargeable.exedescription pid process target process PID 3308 wrote to memory of 4008 3308 62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe chargeable.exe PID 3308 wrote to memory of 4008 3308 62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe chargeable.exe PID 3308 wrote to memory of 4008 3308 62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe chargeable.exe PID 4008 wrote to memory of 2172 4008 chargeable.exe chargeable.exe PID 4008 wrote to memory of 2172 4008 chargeable.exe chargeable.exe PID 4008 wrote to memory of 2172 4008 chargeable.exe chargeable.exe PID 4008 wrote to memory of 2172 4008 chargeable.exe chargeable.exe PID 4008 wrote to memory of 2172 4008 chargeable.exe chargeable.exe PID 4008 wrote to memory of 2172 4008 chargeable.exe chargeable.exe PID 4008 wrote to memory of 2172 4008 chargeable.exe chargeable.exe PID 4008 wrote to memory of 2172 4008 chargeable.exe chargeable.exe PID 2172 wrote to memory of 3436 2172 chargeable.exe netsh.exe PID 2172 wrote to memory of 3436 2172 chargeable.exe netsh.exe PID 2172 wrote to memory of 3436 2172 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe"C:\Users\Admin\AppData\Local\Temp\62578782ed0143f5a85bbcbbdb5d09e23965f6e4635f3f407d3f1a78588fe8b0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4140 /prefetch:81⤵PID:2888
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400B
MD50a9b4592cd49c3c21f6767c2dabda92f
SHA1f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA5126b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307
-
Filesize
115KB
MD58340d915146d19c0d366ac05c5a01347
SHA1e8b87fafc912cfc6f445bb56ea90e5f0214b6188
SHA2565ee94c4e0203ec459c0bc87220b4f0db00e129ccc89796e40c564e60c7f472c4
SHA5121326395812870f923a785e8b31efe5ea5ba2d13182be7791ac0006d28ecd626ac90059a47309ae1ccfcf95ba7822fc966922a77796df590bd4e84e97965b1a0a