Analysis
-
max time kernel
121s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-08-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
d8a83c4911a1a3ad2912ae7d5d192350N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
d8a83c4911a1a3ad2912ae7d5d192350N.exe
Resource
win10v2004-20240802-en
General
-
Target
d8a83c4911a1a3ad2912ae7d5d192350N.exe
-
Size
115KB
-
MD5
d8a83c4911a1a3ad2912ae7d5d192350
-
SHA1
748e7d8b45a5f0997b75a1c523602e884773700c
-
SHA256
b46d00f45d89113b5ef42c11f5b788a9f0d5f3067cf91db08a264c7729c2413f
-
SHA512
62826f0188b82e6a11f210ad977854fc7f8a823e7a0139aaa4bb630cca938fcbb3d2028e4e3caa7cbe034fdb1a9930cf512c277557e3dca388a55948a53c0d26
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeQzb:P5eznsjsguGDFqGZ2rxb
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2728 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2688 chargeable.exe 2296 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
d8a83c4911a1a3ad2912ae7d5d192350N.exepid process 2336 d8a83c4911a1a3ad2912ae7d5d192350N.exe 2336 d8a83c4911a1a3ad2912ae7d5d192350N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d8a83c4911a1a3ad2912ae7d5d192350N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" d8a83c4911a1a3ad2912ae7d5d192350N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d8a83c4911a1a3ad2912ae7d5d192350N.exe" d8a83c4911a1a3ad2912ae7d5d192350N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2688 set thread context of 2296 2688 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d8a83c4911a1a3ad2912ae7d5d192350N.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d8a83c4911a1a3ad2912ae7d5d192350N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe Token: 33 2296 chargeable.exe Token: SeIncBasePriorityPrivilege 2296 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
d8a83c4911a1a3ad2912ae7d5d192350N.exechargeable.exechargeable.exedescription pid process target process PID 2336 wrote to memory of 2688 2336 d8a83c4911a1a3ad2912ae7d5d192350N.exe chargeable.exe PID 2336 wrote to memory of 2688 2336 d8a83c4911a1a3ad2912ae7d5d192350N.exe chargeable.exe PID 2336 wrote to memory of 2688 2336 d8a83c4911a1a3ad2912ae7d5d192350N.exe chargeable.exe PID 2336 wrote to memory of 2688 2336 d8a83c4911a1a3ad2912ae7d5d192350N.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2688 wrote to memory of 2296 2688 chargeable.exe chargeable.exe PID 2296 wrote to memory of 2728 2296 chargeable.exe netsh.exe PID 2296 wrote to memory of 2728 2296 chargeable.exe netsh.exe PID 2296 wrote to memory of 2728 2296 chargeable.exe netsh.exe PID 2296 wrote to memory of 2728 2296 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8a83c4911a1a3ad2912ae7d5d192350N.exe"C:\Users\Admin\AppData\Local\Temp\d8a83c4911a1a3ad2912ae7d5d192350N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5d807a1f08c8023a2e2deffb48e534c67
SHA1478827945331fb37b02f8ab2fb681684b7612157
SHA2563000e548a00f54e2ee791bafe261de63a1fa0f5d64af6be1c57674493984b2fb
SHA5128f5aa810de49e5bc1ccfaa24c15be9ada2bac38944dcd08131916b5ae9999e16563029f0c7e1ea9414d25d2d1596c173e2198fba6c634f0f732b8abd4a2cc9a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8f7ca7673287139f349475fbf16b9bc
SHA18f6c63e119f8aa1100c5f362246de0a8c93f14cb
SHA2562874e5dbd739624795186cea7c7ffdc04587faeaec5ac76d7741b70d4b504a85
SHA5129383510bdd512ca7f2b3dccdad69f51936cbad01d2764bc6d47ffd87607a1c29c495dd045003d048ceea3ee9e2a675b5ad4f1c4b971379f1099dec24c9b25ae8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD566dffec49d359bcc10c4cf413ccc1d95
SHA1978a96dfd9038446b7365c9b8dfd19cab8c92d3d
SHA256235a0aca97dc17a719222ffb892c89881a733abcf979a1d3c6ae6b315d1303d6
SHA512ad7bc2f2289c43bbc901b9871ea02a9c4e11864c12f0b879a576393ba0f0e9e7b75eaa8487ab9b018ed24dd5c1a62dd8c8024d0284c732dfd994d13ec32828f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b0a5e90dd8b7a99c4222288e1005f3b
SHA14088896ef15c90b868f098c7beaf33caa876e74f
SHA256cbb7c51b13295bead3297fc16e3770a0a276b5d608270a330148c9f1907c7a17
SHA512620fb0461fa757de51b182ac84ba75cad3b1612b5950dc4c0449176ad1c90ea65da26fe76879310630d6c4d5232a472ee5b033e720a33f3d31f75bb6e975f4ae
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
116KB
MD52720fae283490aca86acb0570c7fae1c
SHA1aacd8afb4b0e0430d81ab253596efd05e2f23b26
SHA2566a67ddd282f16e4136679ad0ba2bafdd314338e831fffa6f91a264dced86de9c
SHA51250f5828754ddc5a64fad949efd99af9729b551bc09cde7f6c0a0e851b68ad3bdd12d63c1b073031b384280037609c940ea54d354519cdb47086eab706343a3a7