Analysis

  • max time kernel
    121s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    23-08-2024 18:16

General

  • Target

    d8a83c4911a1a3ad2912ae7d5d192350N.exe

  • Size

    115KB

  • MD5

    d8a83c4911a1a3ad2912ae7d5d192350

  • SHA1

    748e7d8b45a5f0997b75a1c523602e884773700c

  • SHA256

    b46d00f45d89113b5ef42c11f5b788a9f0d5f3067cf91db08a264c7729c2413f

  • SHA512

    62826f0188b82e6a11f210ad977854fc7f8a823e7a0139aaa4bb630cca938fcbb3d2028e4e3caa7cbe034fdb1a9930cf512c277557e3dca388a55948a53c0d26

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeQzb:P5eznsjsguGDFqGZ2rxb

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8a83c4911a1a3ad2912ae7d5d192350N.exe
    "C:\Users\Admin\AppData\Local\Temp\d8a83c4911a1a3ad2912ae7d5d192350N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2296
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    d807a1f08c8023a2e2deffb48e534c67

    SHA1

    478827945331fb37b02f8ab2fb681684b7612157

    SHA256

    3000e548a00f54e2ee791bafe261de63a1fa0f5d64af6be1c57674493984b2fb

    SHA512

    8f5aa810de49e5bc1ccfaa24c15be9ada2bac38944dcd08131916b5ae9999e16563029f0c7e1ea9414d25d2d1596c173e2198fba6c634f0f732b8abd4a2cc9a1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f8f7ca7673287139f349475fbf16b9bc

    SHA1

    8f6c63e119f8aa1100c5f362246de0a8c93f14cb

    SHA256

    2874e5dbd739624795186cea7c7ffdc04587faeaec5ac76d7741b70d4b504a85

    SHA512

    9383510bdd512ca7f2b3dccdad69f51936cbad01d2764bc6d47ffd87607a1c29c495dd045003d048ceea3ee9e2a675b5ad4f1c4b971379f1099dec24c9b25ae8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    66dffec49d359bcc10c4cf413ccc1d95

    SHA1

    978a96dfd9038446b7365c9b8dfd19cab8c92d3d

    SHA256

    235a0aca97dc17a719222ffb892c89881a733abcf979a1d3c6ae6b315d1303d6

    SHA512

    ad7bc2f2289c43bbc901b9871ea02a9c4e11864c12f0b879a576393ba0f0e9e7b75eaa8487ab9b018ed24dd5c1a62dd8c8024d0284c732dfd994d13ec32828f5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7b0a5e90dd8b7a99c4222288e1005f3b

    SHA1

    4088896ef15c90b868f098c7beaf33caa876e74f

    SHA256

    cbb7c51b13295bead3297fc16e3770a0a276b5d608270a330148c9f1907c7a17

    SHA512

    620fb0461fa757de51b182ac84ba75cad3b1612b5950dc4c0449176ad1c90ea65da26fe76879310630d6c4d5232a472ee5b033e720a33f3d31f75bb6e975f4ae

  • C:\Users\Admin\AppData\Local\Temp\CabA6EB.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarA70E.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    116KB

    MD5

    2720fae283490aca86acb0570c7fae1c

    SHA1

    aacd8afb4b0e0430d81ab253596efd05e2f23b26

    SHA256

    6a67ddd282f16e4136679ad0ba2bafdd314338e831fffa6f91a264dced86de9c

    SHA512

    50f5828754ddc5a64fad949efd99af9729b551bc09cde7f6c0a0e851b68ad3bdd12d63c1b073031b384280037609c940ea54d354519cdb47086eab706343a3a7

  • memory/2296-346-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2296-349-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2296-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2336-180-0x0000000074D50000-0x00000000752FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2336-170-0x0000000074D50000-0x00000000752FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2336-0-0x0000000074D51000-0x0000000074D52000-memory.dmp

    Filesize

    4KB

  • memory/2336-1-0x0000000074D50000-0x00000000752FB000-memory.dmp

    Filesize

    5.7MB