Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 19:19
Static task
static1
Behavioral task
behavioral1
Sample
05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe
Resource
win10v2004-20241007-en
General
-
Target
05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe
-
Size
114KB
-
MD5
cf41482e3fbc22f0ec0125d4a2e63830
-
SHA1
300d07cbcec7dca6aefda39ce7334992479d9b9a
-
SHA256
05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513
-
SHA512
cd7ea1e913b4b6957ad5bf0d7c85a9dd06d935eb377397904bd110ea3d56d015a750507bafc48bafad624f805b0c6f51a4960a67a3418ebbd1e199995b46e77a
-
SSDEEP
1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOBh73vry:w5eznsjsguGDFqGx8egoxmO3rvm
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2324 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2376 chargeable.exe 2932 chargeable.exe -
Loads dropped DLL 2 IoCs
pid Process 2624 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe 2624 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe" 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2376 set thread context of 2932 2376 chargeable.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe Token: 33 2932 chargeable.exe Token: SeIncBasePriorityPrivilege 2932 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2376 2624 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe 30 PID 2624 wrote to memory of 2376 2624 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe 30 PID 2624 wrote to memory of 2376 2624 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe 30 PID 2624 wrote to memory of 2376 2624 05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe 30 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2376 wrote to memory of 2932 2376 chargeable.exe 32 PID 2932 wrote to memory of 2324 2932 chargeable.exe 33 PID 2932 wrote to memory of 2324 2932 chargeable.exe 33 PID 2932 wrote to memory of 2324 2932 chargeable.exe 33 PID 2932 wrote to memory of 2324 2932 chargeable.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe"C:\Users\Admin\AppData\Local\Temp\05f9bdd6bed8951266a839e8639e61a977813940f3888c168125d21c2bb3b513N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2324
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD5e3fdd911da4b3c99a051ab93c3c6afa1
SHA1b46228e89c5221dcccccd045e09ce569c77ee098
SHA2565bf9cfe566b761eaaae828255c33f52c2c500965e458c0702df1663a38eed743
SHA5127de1b9cb8f159065c3b4ed69c2b540a50f7d7230fc330e2f72bfec684060834e6e18923c7c5b54eaa182f685d51d0a10e798a2f9cdcd1f99d86fba74cb9c4f39