Malware Analysis Report

2024-10-23 20:44

Sample ID 240902-esrdqs1ell
Target 4fb70c06fdefcc1595dc603fea1da470N.exe
SHA256 1fd77b4983a23ba908746e571a7343687356382104476872892fad0bb21bf1c6
Tags
njrat neuf discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1fd77b4983a23ba908746e571a7343687356382104476872892fad0bb21bf1c6

Threat Level: Known bad

The file 4fb70c06fdefcc1595dc603fea1da470N.exe was found to be: Known bad.

Malicious Activity Summary

njrat neuf discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-02 04:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-02 04:12

Reported

2024-09-02 04:14

Platform

win7-20240708-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fb70c06fdefcc1595dc603fea1da470N.exe" C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 332 set thread context of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2308 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2308 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2308 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 332 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2728 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2728 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2728 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2728 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe

"C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp

Files

memory/2308-0-0x0000000074321000-0x0000000074322000-memory.dmp

memory/2308-1-0x0000000074320000-0x00000000748CB000-memory.dmp

memory/2308-2-0x0000000074320000-0x00000000748CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab953F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9562.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79d4bd970262b09177e3584cb38b4fb6
SHA1 7f0c9e6c3d06495e8d057251b1dece7f917c3aa5
SHA256 3b812cdbea7947883680e1873f7b91d3e2d90727b8c3427aed122235184be0da
SHA512 937e058240bd3e13ee90e54a91572a9e6bb525d88196339947955391b1e6803eefc2d2df12dfdcc0a776a96fa12cc725affdf6351868584e5e5025abb1bf42ab

memory/2308-170-0x0000000074320000-0x00000000748CB000-memory.dmp

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 66fc9ff3bdbbd4b7047ed652b4574747
SHA1 0aea1df092780c4d5aedb570b0b50137dffd5e54
SHA256 ae8f869b7a18cd82c27393ee42339ceaefa430143c6508837ad49ee2d7233c34
SHA512 e630c1a07fce856c6c81237c2a2be1222576905555dd5ab4b087659893bb0bab9645b7f1c72f875f7dd76c50d0a242605fb45a2b31097c8d183e4ba34b2ffb8a

memory/2308-180-0x0000000074320000-0x00000000748CB000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a534c6d3fee1fa53b7c127eaab61c7ef
SHA1 9a20e04443b7c9fdd5051230a7ac013554d421e3
SHA256 e70f87d47910f3baf1d504f22b91a7c465e66a09349babaa435ae5868aee7b1d
SHA512 e1b59b7ef22c838de41c4f89f7ea55f4ffae01f5e5860f7c1cdbb2e0bd4a6f910f1458bc93836c9ad11fce04757d8580ba2c6315ff76ef1444398a3ea0a7d22b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

MD5 ead7f60aa2916b8ca7d630311b2200a0
SHA1 b7a1c1dffd9713e8288e1fafa1c6e4500eb396ec
SHA256 8c396d31fe947c84769a09427d37ee0f48689d9a34cb66b048088132696b85c6
SHA512 75b7c089441e3a3f3235cced4024a740331144ac74f059205720ed5d9d3ea99f8c6efb5ace942e0f475d3afb898aaa161a2111515bb4a800bdaae5b0f45ac00d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

MD5 e7122c733f9e37bba0ca4c985ce11d6d
SHA1 d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256 acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA512 84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

MD5 a8d341f1aec3466646a56ab849e032dc
SHA1 8274b65b87bd91059166c64403bc2c22c142c03a
SHA256 e0c42de6423c42ba4f98178062b4f0985c99cc23df7436088eb8eec1694bf629
SHA512 0d29b8c43d733f8983687499b725155e3fde84a27384be239265a4bcd46615cc5bb1b8a5650ae152e0c158298847bd78f8953095bf577ecc38f2732d095779b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

MD5 732cfeb76b91c4d13978a00b8c666ed7
SHA1 0c57f76436701f4d51397d1d4e86337dd9ab1964
SHA256 9fab9fc0a1da813e6ddb93904c1fcfa6546cfbe70747ff8468ddd14d2552dbd2
SHA512 2b8618e823355a4fa646d51a753f67d34bd7b14367d46fa187f2294af7c2794c6cdee664ea570862757a5f1c99dfcb67a7d4ddf8389d07dd8d696fe55aa538bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a5bd0f864a5932811deb5f2eb906a0b
SHA1 1a9a88ca493b1393feaf4246f469518e3d142c3e
SHA256 4999cbbd723ed1c8ab85f2384532409b6fcae48411de87862a188db46757b6a5
SHA512 99cc2f95fda6f907517245d8ee07f9f0e3ee8be2122cd0ffdb31adba140b0bebb251af27b652bc95f79e87512c73ecd6aa1295af0433ed412938a1efd09f3cbc

memory/2728-348-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2728-351-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2728-350-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-02 04:12

Reported

2024-09-02 04:14

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fb70c06fdefcc1595dc603fea1da470N.exe" C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2152 set thread context of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 936 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 936 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 936 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2152 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2156 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2156 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2156 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe

"C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp

Files

memory/936-0-0x0000000075482000-0x0000000075483000-memory.dmp

memory/936-1-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/936-2-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/936-6-0x0000000075482000-0x0000000075483000-memory.dmp

memory/936-7-0x0000000075480000-0x0000000075A31000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 c69b11f1d7fa215ac43e9d1551ce3e65
SHA1 5a071035914b2ae081a6b359b4d07fbf5f4a2055
SHA256 e05ecbdc9ac7024c3e9c3ee37a9a9eb8b8f27b02736910c4b7ccb6d4f1795049
SHA512 97d9b93fdbde6db006cbcdcaeafb7fca2d9bc77472e4a851ff66616f93df11449ab7faab42ceb4a302254a31ebab11e8e12f5cd9ad26140562372e70ca54955c

memory/936-20-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/2152-21-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/2152-22-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/936-19-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/2152-23-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/2156-24-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/2156-29-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/2152-28-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/2156-30-0x0000000075480000-0x0000000075A31000-memory.dmp

memory/2156-31-0x0000000075480000-0x0000000075A31000-memory.dmp