Analysis
-
max time kernel
114s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
72293ccf33ff9da279c5460e9f7f7b20N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
72293ccf33ff9da279c5460e9f7f7b20N.exe
Resource
win10v2004-20240802-en
General
-
Target
72293ccf33ff9da279c5460e9f7f7b20N.exe
-
Size
116KB
-
MD5
72293ccf33ff9da279c5460e9f7f7b20
-
SHA1
7130e75bd5c85da908f9219cd0d04346d572a1d0
-
SHA256
c1f607f590390883c97ab34350edc9a3afe00fc3ef14ad8b3ce3d651e836b2fa
-
SHA512
b6679e1aef0962db3884e739f699258eb60914b6acf33aef4a693dcb812cc5a3a1664aa0028e91fc6f7c77869d47860b7213066f59947f25502856bfa50f75c7
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVr:P5eznsjsguGDFqGZ2rDL9
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2572 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2240 chargeable.exe 2804 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
72293ccf33ff9da279c5460e9f7f7b20N.exepid process 3044 72293ccf33ff9da279c5460e9f7f7b20N.exe 3044 72293ccf33ff9da279c5460e9f7f7b20N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
72293ccf33ff9da279c5460e9f7f7b20N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 72293ccf33ff9da279c5460e9f7f7b20N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\72293ccf33ff9da279c5460e9f7f7b20N.exe" 72293ccf33ff9da279c5460e9f7f7b20N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2240 set thread context of 2804 2240 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
chargeable.exechargeable.exenetsh.exe72293ccf33ff9da279c5460e9f7f7b20N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72293ccf33ff9da279c5460e9f7f7b20N.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe Token: 33 2804 chargeable.exe Token: SeIncBasePriorityPrivilege 2804 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
72293ccf33ff9da279c5460e9f7f7b20N.exechargeable.exechargeable.exedescription pid process target process PID 3044 wrote to memory of 2240 3044 72293ccf33ff9da279c5460e9f7f7b20N.exe chargeable.exe PID 3044 wrote to memory of 2240 3044 72293ccf33ff9da279c5460e9f7f7b20N.exe chargeable.exe PID 3044 wrote to memory of 2240 3044 72293ccf33ff9da279c5460e9f7f7b20N.exe chargeable.exe PID 3044 wrote to memory of 2240 3044 72293ccf33ff9da279c5460e9f7f7b20N.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2240 wrote to memory of 2804 2240 chargeable.exe chargeable.exe PID 2804 wrote to memory of 2572 2804 chargeable.exe netsh.exe PID 2804 wrote to memory of 2572 2804 chargeable.exe netsh.exe PID 2804 wrote to memory of 2572 2804 chargeable.exe netsh.exe PID 2804 wrote to memory of 2572 2804 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72293ccf33ff9da279c5460e9f7f7b20N.exe"C:\Users\Admin\AppData\Local\Temp\72293ccf33ff9da279c5460e9f7f7b20N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2572
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7122c733f9e37bba0ca4c985ce11d6d
SHA1d661aa5b31ff7ef2df9bc4095279058c36499af2
SHA256acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a
SHA51284cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9
-
Filesize
1KB
MD5732cfeb76b91c4d13978a00b8c666ed7
SHA10c57f76436701f4d51397d1d4e86337dd9ab1964
SHA2569fab9fc0a1da813e6ddb93904c1fcfa6546cfbe70747ff8468ddd14d2552dbd2
SHA5122b8618e823355a4fa646d51a753f67d34bd7b14367d46fa187f2294af7c2794c6cdee664ea570862757a5f1c99dfcb67a7d4ddf8389d07dd8d696fe55aa538bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD55b11e68349de29d4b0f309d73ae1aa83
SHA1f16dc50d4e1a77cc845ecad640d119e53f05f0db
SHA2568a71a8113ecbb3a4b275dd8849021f314207a3c31b620618472b08a2d11a0bf5
SHA512c2e54dbecd6381cdd7a321924d05c1f3e4162f390479191b4349ee69781acd2dfbdbd1089c9e4accdad37f9cb0e89adf841044b2bd3f92ad4410ed541f4b0160
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ecc2a566b7a83e93dd00ab989b1723d
SHA1e6978a906bda2a338ca22f7ecc7d70859c443582
SHA256ec69b85f2643e52a3c024cd1ce5affc3f9fa9870411b658f92343f0d36e59dfa
SHA51232ad01ea94f02b88cd90eac1446f62ba82927a3b5fe28533ef0d8a97f11c57579412130b3a877489898f866192a56bea302d56047078721b478c06232eb5c99d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ad35ae062f1eff59e55269ed96a1e1a
SHA112567a563518bedde48fabdaf3f22630f9971d3a
SHA2568f10b36a56d748be291b0e03738a2732ba66aebf6375b18711db5a538c1a02aa
SHA512739fab5324272fe761c7d0b0e80ce05f184318846d335a577a88d5f353d7d4353375f949c6691a2b207420cdb8f1cbb0bb1140b6154dc3d3bb757f3f9d554b52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3a430f1456d2fefd66aad21487f4523
SHA1572ad91c1765e124645ac7dbe4f7d34629f99558
SHA256b3027d5452635c476edd5afe49613d6f604d1d80d324324486f99e55ed9ab812
SHA512d7eb764656e9a3405b1890674bff91ae339985b058eadee1cf2c3831621347cef65d11bb3a2c5b061493bd7f5515c2fb0edb42a2a6a7da8427fb4ed5f2bc56d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize252B
MD50dd0e2d46927afc9083d3e140fee6215
SHA13e02f8e0cc84eb708861d50f618959758168325b
SHA2569d5250dd59ce9043ee902e8926fb9fc2a2633f7d4ae40dfe0e881561479de3b4
SHA5126b129e94ef035224a0b66823a02f122caef0137932b6a5424ada6ce75acfa14a6d25db278c15137175d598b6c175841d9d6a68c6433586997758fee904623c4f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
116KB
MD589b6322cf27850734cb31065861f327c
SHA13701383af7606baa6650c3a1fb36c7bdc23bea4c
SHA256d48def03a60c8464185e73220a8198b4a3f562517ca6e8f3331c15b439cc1eda
SHA51215494c8057e056f3948f0df84c911d0d83abd13a21e1175f81d80cb3aded943958784a582b710eb1fce325d7d3075a46ea472e445559ad9aab3db26890ac1dbe