Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 04:12
Static task
static1
Behavioral task
behavioral1
Sample
4fb70c06fdefcc1595dc603fea1da470N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4fb70c06fdefcc1595dc603fea1da470N.exe
Resource
win10v2004-20240802-en
General
-
Target
4fb70c06fdefcc1595dc603fea1da470N.exe
-
Size
116KB
-
MD5
4fb70c06fdefcc1595dc603fea1da470
-
SHA1
868e36d53792bf49b3ce8c7e4ec6aa146ab64001
-
SHA256
1fd77b4983a23ba908746e571a7343687356382104476872892fad0bb21bf1c6
-
SHA512
f9d895b727cac4e57e8754782ebad9756f21f111b4b75e3806da4da3c13177e70c306e8491080b238535e04592826a48be24e0ced158497abd58c913f32bedf4
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZbL:P5eznsjsguGDFqGZ2rDLt
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2116 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 332 chargeable.exe 2728 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
4fb70c06fdefcc1595dc603fea1da470N.exepid process 2308 4fb70c06fdefcc1595dc603fea1da470N.exe 2308 4fb70c06fdefcc1595dc603fea1da470N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4fb70c06fdefcc1595dc603fea1da470N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 4fb70c06fdefcc1595dc603fea1da470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fb70c06fdefcc1595dc603fea1da470N.exe" 4fb70c06fdefcc1595dc603fea1da470N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 332 set thread context of 2728 332 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
4fb70c06fdefcc1595dc603fea1da470N.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4fb70c06fdefcc1595dc603fea1da470N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe Token: 33 2728 chargeable.exe Token: SeIncBasePriorityPrivilege 2728 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4fb70c06fdefcc1595dc603fea1da470N.exechargeable.exechargeable.exedescription pid process target process PID 2308 wrote to memory of 332 2308 4fb70c06fdefcc1595dc603fea1da470N.exe chargeable.exe PID 2308 wrote to memory of 332 2308 4fb70c06fdefcc1595dc603fea1da470N.exe chargeable.exe PID 2308 wrote to memory of 332 2308 4fb70c06fdefcc1595dc603fea1da470N.exe chargeable.exe PID 2308 wrote to memory of 332 2308 4fb70c06fdefcc1595dc603fea1da470N.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 332 wrote to memory of 2728 332 chargeable.exe chargeable.exe PID 2728 wrote to memory of 2116 2728 chargeable.exe netsh.exe PID 2728 wrote to memory of 2116 2728 chargeable.exe netsh.exe PID 2728 wrote to memory of 2116 2728 chargeable.exe netsh.exe PID 2728 wrote to memory of 2116 2728 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe"C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
Filesize
1KB
MD5732cfeb76b91c4d13978a00b8c666ed7
SHA10c57f76436701f4d51397d1d4e86337dd9ab1964
SHA2569fab9fc0a1da813e6ddb93904c1fcfa6546cfbe70747ff8468ddd14d2552dbd2
SHA5122b8618e823355a4fa646d51a753f67d34bd7b14367d46fa187f2294af7c2794c6cdee664ea570862757a5f1c99dfcb67a7d4ddf8389d07dd8d696fe55aa538bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5a8d341f1aec3466646a56ab849e032dc
SHA18274b65b87bd91059166c64403bc2c22c142c03a
SHA256e0c42de6423c42ba4f98178062b4f0985c99cc23df7436088eb8eec1694bf629
SHA5120d29b8c43d733f8983687499b725155e3fde84a27384be239265a4bcd46615cc5bb1b8a5650ae152e0c158298847bd78f8953095bf577ecc38f2732d095779b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD579d4bd970262b09177e3584cb38b4fb6
SHA17f0c9e6c3d06495e8d057251b1dece7f917c3aa5
SHA2563b812cdbea7947883680e1873f7b91d3e2d90727b8c3427aed122235184be0da
SHA512937e058240bd3e13ee90e54a91572a9e6bb525d88196339947955391b1e6803eefc2d2df12dfdcc0a776a96fa12cc725affdf6351868584e5e5025abb1bf42ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a534c6d3fee1fa53b7c127eaab61c7ef
SHA19a20e04443b7c9fdd5051230a7ac013554d421e3
SHA256e70f87d47910f3baf1d504f22b91a7c465e66a09349babaa435ae5868aee7b1d
SHA512e1b59b7ef22c838de41c4f89f7ea55f4ffae01f5e5860f7c1cdbb2e0bd4a6f910f1458bc93836c9ad11fce04757d8580ba2c6315ff76ef1444398a3ea0a7d22b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58a5bd0f864a5932811deb5f2eb906a0b
SHA11a9a88ca493b1393feaf4246f469518e3d142c3e
SHA2564999cbbd723ed1c8ab85f2384532409b6fcae48411de87862a188db46757b6a5
SHA51299cc2f95fda6f907517245d8ee07f9f0e3ee8be2122cd0ffdb31adba140b0bebb251af27b652bc95f79e87512c73ecd6aa1295af0433ed412938a1efd09f3cbc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize252B
MD5ead7f60aa2916b8ca7d630311b2200a0
SHA1b7a1c1dffd9713e8288e1fafa1c6e4500eb396ec
SHA2568c396d31fe947c84769a09427d37ee0f48689d9a34cb66b048088132696b85c6
SHA51275b7c089441e3a3f3235cced4024a740331144ac74f059205720ed5d9d3ea99f8c6efb5ace942e0f475d3afb898aaa161a2111515bb4a800bdaae5b0f45ac00d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
116KB
MD566fc9ff3bdbbd4b7047ed652b4574747
SHA10aea1df092780c4d5aedb570b0b50137dffd5e54
SHA256ae8f869b7a18cd82c27393ee42339ceaefa430143c6508837ad49ee2d7233c34
SHA512e630c1a07fce856c6c81237c2a2be1222576905555dd5ab4b087659893bb0bab9645b7f1c72f875f7dd76c50d0a242605fb45a2b31097c8d183e4ba34b2ffb8a