Malware Analysis Report

2024-10-23 20:45

Sample ID 240825-zhcg2svhmk
Target 34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f
SHA256 34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f
Tags
njrat neuf discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f

Threat Level: Known bad

The file 34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f was found to be: Known bad.

Malicious Activity Summary

njrat neuf discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 20:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 20:42

Reported

2024-08-25 20:45

Platform

win7-20240708-en

Max time kernel

148s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe" C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2896 set thread context of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 set thread context of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2412 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2412 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2412 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2896 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2828 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2828 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2828 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2828 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe

"C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 92.123.143.234:80 crl.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp

Files

memory/2412-0-0x0000000074611000-0x0000000074612000-memory.dmp

memory/2412-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2412-2-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD6D1.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD703.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4f8b16ed5de665939084f921ac6613d
SHA1 5a2245ee9d6278eeb347617bd5093f3d5a6562a3
SHA256 5f6a2a7aec6cba3dd6dfefbabfdc30b3d1169cfd8bbc697dc7ed47950c323c86
SHA512 cea34b25d8c2d67165a0981048e3644ea98a468b85ad2d722ffc3ef0061dfdbdf3fd9101f77748e0c0ad2e862f267e496fca16e62d2840bc5bd1c284ce11e277

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 ddd486076d04c0e8499067db105587bc
SHA1 4146eafa1a1c29306b204a0274b01cf14e9b60a6
SHA256 5425de0e1ae233b3eab150aacb89615d97100269689638c3ffdba003151e34f5
SHA512 96cc1166dbd733b5eef8fb4fdb2e80e153f6b416494340d8587f77bb573d3629eef2f0180941c0a651e454a2857ed44dc3eef6e0076a06e61acd0a8227fa6b3d

memory/2412-184-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba4fea07d0bcc8924ca2b7e22ce7156e
SHA1 c54c333bdbeddfccd38921cd5c08df91692b07d2
SHA256 4bcc60442264fa4e5386537c224a29ab4b41f7eadf3c57c9afd316847ee2a99d
SHA512 d5f4072f0b49a00aade31f72cb6cd3fa491c41f6356cf7b2e787bcc7b552a8c80fbdc44328e53d06252eb322ba4edf60eae725fd485518136b0a57c95ad13184

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 e7122c733f9e37bba0ca4c985ce11d6d
SHA1 d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256 acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA512 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 8f00d41659d58361ce7946de0e87167c
SHA1 e00ad730280b6dea4b3686ecaf7fcabf5abb2bc8
SHA256 5a12eb8c3194a63d04c0ba6566c1cfb1b558033f54234274075d2c3dd8cac2c9
SHA512 00f8a79e76da5ae7ecf569fe1b413561f62c785c3822f0c58206474df06091a8c76b2f869f23410e437a0acbae9cf82f5492e4214d03d3943365c7f91c7bde6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4529ec48fcd3e121855e098be91b9148
SHA1 f8f395502cfc543ecd3940a22970877e1872d356
SHA256 1887e99a881f1c66900b21a46ba880de7c0ec3c062f0e6bff7bb59c5f207a7a0
SHA512 ffd247ab6751c25d22f0796a9ba44ec83f76d6793073fc88ae9b63147b0a8586c6cf5d80aba1203848d13925e19795b442afd6e7f746b0d8e5f41ffda9d1909b

memory/2828-342-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2828-347-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2828-346-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 20:42

Reported

2024-08-25 20:45

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe" C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4468 set thread context of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1748 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1748 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4468 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1092 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1092 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 1092 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe

"C:\Users\Admin\AppData\Local\Temp\34cf30a3e81a9749ccdc0a7034ef529b45dc583d10eaa38cfdf0c7608ea78f7f.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp

Files

memory/1748-0-0x00000000746F2000-0x00000000746F3000-memory.dmp

memory/1748-1-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/1748-2-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/1748-6-0x00000000746F2000-0x00000000746F3000-memory.dmp

memory/1748-7-0x00000000746F0000-0x0000000074CA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 f057f7e410e6950ca646c4bcc67212c6
SHA1 a962d6f44f15154ae23623318d6527ff42a35a27
SHA256 401c92fd8e271e4af222e310e056fa009a9e278c84c9c271cc8ca8ffc0c1a81d
SHA512 936c43ccbea517d8c3cf4761dcf8e472b817de909aa0b8d23108422765203674220e0705a6cd0a84eaeda47e8a96ba310e1573bbab602e8e8bcd5732d89a8baa

memory/1748-19-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/4468-20-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/4468-21-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/4468-22-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/1092-23-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/1092-27-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/4468-28-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/1092-29-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/1092-30-0x00000000746F0000-0x0000000074CA1000-memory.dmp