Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2024 01:42

General

  • Target

    9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe

  • Size

    118KB

  • MD5

    68c2b8a2c0252b10215845ab69c94df6

  • SHA1

    47b33d0e70ec5d16ba1d0ac1b3c662da13654e4d

  • SHA256

    9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a

  • SHA512

    590033719461003eef38927686604e03638f0a3998ba2ab54ea83003d1244dbec0b02b923aeab9c05ce7969063aa6778c2b6d96f2527869e8235c9840babaec9

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL2rKIf:P5eznsjsguGDFqGZ2rDL2OIf

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe
    "C:\Users\Admin\AppData\Local\Temp\9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        PID:2784
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        PID:2648
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    e7122c733f9e37bba0ca4c985ce11d6d

    SHA1

    d661aa5b31ff7ef2df9bc4095279058c36499af2

    SHA256

    acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

    SHA512

    84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    bf528852b5586405f2eff5016078e01a

    SHA1

    b58edbc3eb4082dd2f211e4a153980a78c3067b1

    SHA256

    bca51beaf2d2218c4cdd3e263fb90e1a1d237cbcf1cd13e009652979683879cc

    SHA512

    589e4cac675b4699f2cb9ae27e961636abbc41f332b4e9146ffd0745a388e2a58055660885f3366374a2dd212ebf175e28aa8f9a7accbae5b6eb80a405c9b146

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    51325046c45c71efff969536d96b412d

    SHA1

    57187553ec2be4424dffc5b61e13e79fd95a5ee7

    SHA256

    5611373acedd50858c76293b947324b7e3bd1bf85e4bd34ff9be3aee45e62fd5

    SHA512

    f9e0bd1394be9e946dc147b13d0c96a8896f6bb66f16f083ed3daf8c9dbc03934a5326697f9e8bff94652717bdb882505b5867141ae0f51e0b9f93a657237cce

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6151f144c487c8e09f8dc5db78862338

    SHA1

    f362f4093f71d2437b4631593c1b91172589d9e6

    SHA256

    deb50d6ba8c66acd1fe3f77de9cc5a58c6b09ce50940cdd19c6a20526acc66fb

    SHA512

    76086bd18e126d47cff5ca2ec4d8f94fa5b4516371a2d4ba3d2c1be573a7a5cdf94ea850e4aaedc7f8e0208f10d4ec374ea0cf9d50c523d5f3d5e335bcdb4b8f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d611353e8e8bf701f335845ee848abb8

    SHA1

    57c22a7e2f123f48b6518c1f8d28297e475cf1f6

    SHA256

    aa719bb06d5ae3dd76072a8dea1dcb869ebbd54f1261d672b498906f7aea087f

    SHA512

    e336dd559fbd4a46b559b557a000cf160f575c75b8fcbda78f21a7a7c1b4e72b3644b9c99fc4058142c8a662bfc0227d66107438a989807e842426e378f091e6

  • C:\Users\Admin\AppData\Local\Temp\CabE13D.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE14F.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    118KB

    MD5

    37df31c280373c7922204b3ee721ae46

    SHA1

    279695193e19f773b27f79be135cb963136a38d0

    SHA256

    6c6cd0b00746e49406208dd47968f4390b48037dbb7225758dc3aac93432ba2a

    SHA512

    d44a19f9dda0a8b476ca7b47e77eeee1c437146b87b27c011377413eabd42d30990727ade5ab42ba16ffd1610dc64e8aa81193a5203bf962e5fbcd90862d9025

  • memory/1796-342-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/1796-349-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/1796-348-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2640-176-0x0000000074D00000-0x00000000752AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-166-0x0000000074D00000-0x00000000752AB000-memory.dmp

    Filesize

    5.7MB

  • memory/2640-0-0x0000000074D01000-0x0000000074D02000-memory.dmp

    Filesize

    4KB

  • memory/2640-1-0x0000000074D00000-0x00000000752AB000-memory.dmp

    Filesize

    5.7MB