Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-09-2024 23:00
Static task
static1
Behavioral task
behavioral1
Sample
5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe
Resource
win10v2004-20240802-en
General
-
Target
5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe
-
Size
119KB
-
MD5
211f65bd2009c34cec2e694e9f979756
-
SHA1
4864904ee16e056c02e3cedb066f5184c461b4f9
-
SHA256
5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f
-
SHA512
a5b4af955c21bef5a0f63274d433f12d92516cd0f482d7294dc4883bb27e5d91012f0874ce01e1bcc33f5cdb45b6cbcbf6b33d27b6d09a3f73287a4d18a186b9
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOB:P5eznsjsguGDFqGZ2rDL14FOB
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2920 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
chargeable.exechargeable.exepid process 2632 chargeable.exe 2148 chargeable.exe -
Loads dropped DLL 2 IoCs
Processes:
5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exepid process 2948 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe 2948 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe" 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chargeable.exedescription pid process target process PID 2632 set thread context of 2148 2632 chargeable.exe chargeable.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exechargeable.exechargeable.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
chargeable.exedescription pid process Token: SeDebugPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe Token: 33 2148 chargeable.exe Token: SeIncBasePriorityPrivilege 2148 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exechargeable.exechargeable.exedescription pid process target process PID 2948 wrote to memory of 2632 2948 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe chargeable.exe PID 2948 wrote to memory of 2632 2948 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe chargeable.exe PID 2948 wrote to memory of 2632 2948 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe chargeable.exe PID 2948 wrote to memory of 2632 2948 5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2632 wrote to memory of 2148 2632 chargeable.exe chargeable.exe PID 2148 wrote to memory of 2920 2148 chargeable.exe netsh.exe PID 2148 wrote to memory of 2920 2148 chargeable.exe netsh.exe PID 2148 wrote to memory of 2920 2148 chargeable.exe netsh.exe PID 2148 wrote to memory of 2920 2148 chargeable.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe"C:\Users\Admin\AppData\Local\Temp\5d796e64edce8de662dbdabfb69eb2d8d59f7d373020ff7738038864b845af8f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2920
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ef24f78f5d6ae6b58ca1db6a4919bac7
SHA14870c12d0c87f60801050c82a4bf1103f6533c6f
SHA256a34048bf519d69f22a4d7c325614cd83d7ed99dfb263ecf78f2e281220ec0acc
SHA512eff56ab729590a4588fb4d6e25235dffedc7dbe5a2411d183f74afb6d4bdd7b567f1b8f19c99e70353a278d99101a9183e80150af5b84ba2456c2bbd77c632ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD597f6755ba29ef551239d2d93eb6a549c
SHA18ff2d0f87cc36ad7b1f0ddb1268c96dfd1657482
SHA256475ab12f8ba41469c4c5767bcb3bf069896a6c3ccd4f5942fa9322ff78561cf8
SHA512b5a6c6298547e0aa4adad7e730f075a9514d27bf82307c7edfc7ec8be6dbb2990f43e1f6dd27526ac0508f779d073e0f54f9ed2b8044d47913317a8b28813a42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56fe5133f3aa3a470fd45e72ce06d408c
SHA11685e20e044cb34559eccd03bb214f16e6ce06ce
SHA2560532a05eb22e948466b7e286f88463f5e7fe9d653bce6c370dc4fffa919bbad2
SHA512c898f463a4fd6c71de5a54e52aad93fec00724908f4d5659d60095746812249fadabedc7396e957651c04e86d9e5802ad38129ec89fecc42a7f8b92a069296be
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
119KB
MD52a965bb2bc244a8f30a3a211a3cd1146
SHA1e13fe3092ddb01db74331ecb13c99d763d9686bf
SHA2566294fef312c838694a242b78fa44801385f90f9ef8c5432d9010b493bffd5788
SHA5122e83a55e74ddbcf105d1c732e07d998209f7145b2d460add6cb1a623d0b14807a98bf773e305e5e17061862a3082b990e17a56aa1246bd63b6236ca21593abf9