Malware Analysis Report

2024-10-23 20:44

Sample ID 240913-3je64sverj
Target 251d47ff1386c6273c43601cd4a1f4a0N
SHA256 eced7b063a64a23060ba6d6830d96dfa21e671a0c25a40820cc271cba7a55c1d
Tags
njrat neuf discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eced7b063a64a23060ba6d6830d96dfa21e671a0c25a40820cc271cba7a55c1d

Threat Level: Known bad

The file 251d47ff1386c6273c43601cd4a1f4a0N was found to be: Known bad.

Malicious Activity Summary

njrat neuf discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-13 23:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-13 23:32

Reported

2024-09-13 23:34

Platform

win7-20240903-en

Max time kernel

114s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\251d47ff1386c6273c43601cd4a1f4a0N.exe" C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2332 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2332 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2332 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 1672 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 2748 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe

"C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp

Files

memory/2332-0-0x0000000074EE1000-0x0000000074EE2000-memory.dmp

memory/2332-1-0x0000000074EE0000-0x000000007548B000-memory.dmp

memory/2332-2-0x0000000074EE0000-0x000000007548B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCEB6.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCEC9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54bdac96703979aed1b2d82a9573e8cc
SHA1 1bf9ba834e8de884d2c2e1eb0c9ed6fb0556d0be
SHA256 dac9e468918a117a14c56c602df84788d5a707db2dfb62caae47d1c8408453e9
SHA512 01aad1048f523642e3d5c3f6c3b328afb50bba1c9659bf7b306e16890d461d4b8866f83f18a47219992799a31f6f867a3ac77325e512c04de16ddf7ee6a16372

memory/2332-164-0x0000000074EE0000-0x000000007548B000-memory.dmp

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 57e8844ca0c93923661be90da16b3ce2
SHA1 9c5fe4556890237c53daa3a72605a160d41e252e
SHA256 2a123d96b37a13b7ece16485c7c56220bf292b72ce2698b5e52a181910cf282a
SHA512 19e2a560a61f8b80912858bd0a610960ee796003c2734bfcd3d17b4776b16cc5e1646363862f9ee6cb2fe28760356a6ecd17fda68caac71cc0d9e767a370fce1

memory/2332-174-0x0000000074EE0000-0x000000007548B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eee873ecc2a46369de9b0e130fc35a18
SHA1 fe91b7643bbc258ea6acf526546b46865e8573e8
SHA256 a39891a05fb99398159fcdbb9820ea6e97f126b1adf99ca13c687b501f2af2ba
SHA512 c89eb06ff7581de96fb53fda8b82da449f2a866399e02a7223d574907ac8b1084396ba2d00c891fad1203c49eb8ec09b22be8c36defed111d6145628b6e66045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff48e7a8bf8934f540032697266682fa
SHA1 2f59ca8caa84b6f3f8fe95a33525d28b5ef9cbd8
SHA256 91498704c61f911b8b7153ef6a680f33e97c513dbea70ebc4be18ec214210676
SHA512 407e788a01796addb2114539059dab68e683f0f8675989c673af8c84ad463f86d3fbe25e52212e271ab0b73f2d7145fd3dd16a110b7e5ade56a67963da197b7c

memory/2748-341-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2748-340-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2748-338-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-13 23:32

Reported

2024-09-13 23:34

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\251d47ff1386c6273c43601cd4a1f4a0N.exe" C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4752 set thread context of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2564 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 2564 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4752 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4752 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4752 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4752 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4752 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4752 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4752 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 4752 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
PID 3756 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3756 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe
PID 3756 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe

"C:\Users\Admin\AppData\Local\Temp\251d47ff1386c6273c43601cd4a1f4a0N.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 doddyfire.linkpc.net udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CN 171.213.139.100:10000 doddyfire.linkpc.net tcp

Files

memory/2564-0-0x0000000074B92000-0x0000000074B93000-memory.dmp

memory/2564-1-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/2564-2-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/2564-6-0x0000000074B92000-0x0000000074B93000-memory.dmp

memory/2564-7-0x0000000074B90000-0x0000000075141000-memory.dmp

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

MD5 c22a79dab92fc2e0f7c4efc377ac49ea
SHA1 32658953379006260c58089adde764e253402206
SHA256 db88fafe35c1e7505f1d5afd22b08168edc7352977cde7a5c0d1cfd0a46d5c47
SHA512 f11380a723143b819245410b44716a29946d0038882d46714002eb8632f461d5454534a60297b7f23160d56d928f801ebcd14e109e486d78a622af8daf5e6ecb

memory/2564-19-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4752-21-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/2564-20-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4752-22-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/3756-23-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

memory/3756-27-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/3756-29-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/4752-28-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/3756-30-0x0000000074B90000-0x0000000075141000-memory.dmp

memory/3756-31-0x0000000074B90000-0x0000000075141000-memory.dmp