Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21/09/2024, 22:59
General
-
Target
1a23a54df41d0cf4cfb9a6879f7cab61b1ecb0fae46dfb8a2f64361c6ae5846a.exe
-
Size
114KB
-
MD5
0233a24559d6825bdb7f0ec045758cae
-
SHA1
b0161acb0a9bdfa28075e23b7d38ba0758fe99bc
-
SHA256
1a23a54df41d0cf4cfb9a6879f7cab61b1ecb0fae46dfb8a2f64361c6ae5846a
-
SHA512
51e6f62ac49df9f941cdbb1fab1232336b0409c592900e1bb871d3be6d0a808d3690c1f6fbdc15dbaf0ab110664bf92457ec98e863434bd120505473a8fa380f
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMM:P5eznsjsguGDFqGZ2rM
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a23a54df41d0cf4cfb9a6879f7cab61b1ecb0fae46dfb8a2f64361c6ae5846a.exe"C:\Users\Admin\AppData\Local\Temp\1a23a54df41d0cf4cfb9a6879f7cab61b1ecb0fae46dfb8a2f64361c6ae5846a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5a118f669ec2e3878d733548e80c0df0a
SHA1a5fcdb8ff5a553d2b4dc36dd06ab0d840b39f7c9
SHA256f542d4e2fdc6713a5816dba1dd9c9ae741461ff03489a0d2b579ecd795763ad3
SHA512223681adfe2bb3829b31fb664c46f5e88763f39dc4121105490aefdfddb4f1232a4e9e8f84109f2fd1d8860031903b99e8f56c426d8ff4a56c00fb93beaa560e
-
Filesize
342B
MD575b7b1137abf0ac30b1d1c4998a5d960
SHA18494ca19bee7bdd7bcfd2444495000e5191fc95a
SHA25651e2b57f958db88405101b279e10e34c1151f3b756b42d7960d9db2ec01495d6
SHA512febb8c79459e8ea91f61b6cfe115a99ec06e6bd2f989d5ecb2946245d73976f94b0eed5b163995d3d21569464908eda411213e35f52cb1e53213a1135cb35cdf
-
Filesize
342B
MD5eaf8681892d3419608a7fdf559ffc55b
SHA1bed95f1583e6c562f0742840ec24eb85c642ee66
SHA256cc2d0bfd46ea3bb94bec99a689496298e42e3ec4402052dba5eb7757dd19c331
SHA512ebfe1a8031089d20580d4ccad3924b3fda009167016daacaa0d2d73d3de274dfbce53b4513f8f1cf62263e2fe9bfee12e5f60ce2c4460507c445a9ade01b24c9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
114KB
MD533c1332af9123c61ca260fb14714a376
SHA1860f04f752eeb1451ca1db15207dbfd7b7a21d96
SHA2568a41947a3fb5a732c7dbb7733188b80c04281bc994f50a199488b872b11d5020
SHA512076e539bee16602963321ffea2183609f1f9c2a178837e23c3b8c2436777f4f019f1338892588db38bf9edc8df3f99cb4f1eb631bac706e92430c7569fab485b
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB