Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
27-08-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe
Resource
win10v2004-20240802-en
General
-
Target
9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe
-
Size
118KB
-
MD5
68c2b8a2c0252b10215845ab69c94df6
-
SHA1
47b33d0e70ec5d16ba1d0ac1b3c662da13654e4d
-
SHA256
9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a
-
SHA512
590033719461003eef38927686604e03638f0a3998ba2ab54ea83003d1244dbec0b02b923aeab9c05ce7969063aa6778c2b6d96f2527869e8235c9840babaec9
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL2rKIf:P5eznsjsguGDFqGZ2rDL2OIf
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2664 netsh.exe -
Executes dropped EXE 4 IoCs
Processes:
chargeable.exechargeable.exechargeable.exechargeable.exepid process 1336 chargeable.exe 1796 chargeable.exe 2648 chargeable.exe 2784 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exepid process 2640 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe 2640 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe" 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
chargeable.exedescription pid process target process PID 1336 set thread context of 1796 1336 chargeable.exe chargeable.exe PID 1336 set thread context of 2648 1336 chargeable.exe chargeable.exe PID 1336 set thread context of 2784 1336 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe Token: 33 1796 chargeable.exe Token: SeIncBasePriorityPrivilege 1796 chargeable.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exechargeable.exechargeable.exedescription pid process target process PID 2640 wrote to memory of 1336 2640 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe chargeable.exe PID 2640 wrote to memory of 1336 2640 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe chargeable.exe PID 2640 wrote to memory of 1336 2640 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe chargeable.exe PID 2640 wrote to memory of 1336 2640 9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 1796 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2648 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1336 wrote to memory of 2784 1336 chargeable.exe chargeable.exe PID 1796 wrote to memory of 2664 1796 chargeable.exe netsh.exe PID 1796 wrote to memory of 2664 1796 chargeable.exe netsh.exe PID 1796 wrote to memory of 2664 1796 chargeable.exe netsh.exe PID 1796 wrote to memory of 2664 1796 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe"C:\Users\Admin\AppData\Local\Temp\9e0b5ae604b274c00f2231c776ab7865076448048387ff3c13a62bbba0db012a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
PID:2784 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
PID:2648 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5bf528852b5586405f2eff5016078e01a
SHA1b58edbc3eb4082dd2f211e4a153980a78c3067b1
SHA256bca51beaf2d2218c4cdd3e263fb90e1a1d237cbcf1cd13e009652979683879cc
SHA512589e4cac675b4699f2cb9ae27e961636abbc41f332b4e9146ffd0745a388e2a58055660885f3366374a2dd212ebf175e28aa8f9a7accbae5b6eb80a405c9b146
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551325046c45c71efff969536d96b412d
SHA157187553ec2be4424dffc5b61e13e79fd95a5ee7
SHA2565611373acedd50858c76293b947324b7e3bd1bf85e4bd34ff9be3aee45e62fd5
SHA512f9e0bd1394be9e946dc147b13d0c96a8896f6bb66f16f083ed3daf8c9dbc03934a5326697f9e8bff94652717bdb882505b5867141ae0f51e0b9f93a657237cce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56151f144c487c8e09f8dc5db78862338
SHA1f362f4093f71d2437b4631593c1b91172589d9e6
SHA256deb50d6ba8c66acd1fe3f77de9cc5a58c6b09ce50940cdd19c6a20526acc66fb
SHA51276086bd18e126d47cff5ca2ec4d8f94fa5b4516371a2d4ba3d2c1be573a7a5cdf94ea850e4aaedc7f8e0208f10d4ec374ea0cf9d50c523d5f3d5e335bcdb4b8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d611353e8e8bf701f335845ee848abb8
SHA157c22a7e2f123f48b6518c1f8d28297e475cf1f6
SHA256aa719bb06d5ae3dd76072a8dea1dcb869ebbd54f1261d672b498906f7aea087f
SHA512e336dd559fbd4a46b559b557a000cf160f575c75b8fcbda78f21a7a7c1b4e72b3644b9c99fc4058142c8a662bfc0227d66107438a989807e842426e378f091e6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
118KB
MD537df31c280373c7922204b3ee721ae46
SHA1279695193e19f773b27f79be135cb963136a38d0
SHA2566c6cd0b00746e49406208dd47968f4390b48037dbb7225758dc3aac93432ba2a
SHA512d44a19f9dda0a8b476ca7b47e77eeee1c437146b87b27c011377413eabd42d30990727ade5ab42ba16ffd1610dc64e8aa81193a5203bf962e5fbcd90862d9025