Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 21:22

General

  • Target

    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe

  • Size

    119KB

  • MD5

    97f7e589999872e0847d256b24acc848

  • SHA1

    23463d7f8075dff1047f776f80c989f1f435df42

  • SHA256

    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd

  • SHA512

    fcb53a14a43cb9be8b8d8fd46faf6fed074c57106aef0c590efdc1edba5e20a84a63045eb8c612d1e440f7ca6a6fac7f4cd84010bba8ed4ce9a11384ba821185

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVg+:P5eznsjsguGDFqGZ2rDLT

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    "C:\Users\Admin\AppData\Local\Temp\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

    Filesize

    1KB

    MD5

    3e3aed1c0ba46c98a8ef6b3bec083998

    SHA1

    8df2ba67925f2c9580ead34fc567acd35c55b416

    SHA256

    3fab079f84b987b1a1e305228bd9d2c7dc9a4033b62d3715073c009391fc949f

    SHA512

    f0afb50c3ca2843e0dde736e5ce6d327ad2b70ae3e04c46c658878208dbd242059efc414f8eff22e9e6034a4a4948b34bdd612c5156c3d9a7fcbd38238066b29

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c54b6ea143b6e025f2069d881da47b2e

    SHA1

    9a732e5dfc4db5ff930617bae7962d1c9f5abb4b

    SHA256

    d6142977da917277c52024aa0d1ad424604e406d2350f5060070ec6800808112

    SHA512

    d81237f7c98ab931bbf81e15ff833bd57048241ee374869ebd13655ba1e616d0fe4fb552996a8eddc7e43e6ef8d33b5d6c900d313697a57089fefa1f76f91699

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5b3fbb44b243c72f9f5e20ed69a9c821

    SHA1

    58bee5ad1af4126468d2a266b2e8c77eabd9a873

    SHA256

    682ed5876a1aab05c7b26d2ae7f64baa8cd0d8baedb706f21c551788794d3a2e

    SHA512

    b690d3fafc1a8caa1dc6578ac06bcee32a7e051a2024c6de8eb53dec9072d7b4255dc714fadc21f7af6e7686ad8e57412781e2cae3305f251fcc9b686bf4958c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3c2df53c268ef60e6ae00b832ae7df81

    SHA1

    c7260e1872787a18ba1111241a94aae6abe53deb

    SHA256

    705d83e0eabd5c9e6a630585b4d57b4a19ccacbbc42ca5fcf1e23765938357bf

    SHA512

    5cbae1a6dd8690528f0673b961ed880f986526fb198484edebab49358bb5666e727aacf28dd40a090a017e462de4a650b9a8c8bc2170cdcb90bff67602f95491

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

    Filesize

    252B

    MD5

    62ec42839c9210e074a37956d76ea3fb

    SHA1

    f3e1c410a4a076065cf94f7faf885cad0ccb5baa

    SHA256

    ca4222a439a8e4f06a853c0270249d567d153707be60b416ba20172ef946e5bd

    SHA512

    7ede324d581db4e477e776ecf6e6c97866c0c7e880e1f85d91e2cb93d2d2a10aa31a88d78d8b5a7290e7a9d4a947c3d2c610860efed5705491931a1524625311

  • C:\Users\Admin\AppData\Local\Temp\CabB212.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarB215.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    119KB

    MD5

    e70d85eb725cddb20af75f913ce81402

    SHA1

    31a777c8d84c35cbbe876cfbc8f188f8e19940cb

    SHA256

    62dfc98b2f75d1e2d56759d4d40dc8eb864dada625a655ef015d1dcc9c97e777

    SHA512

    210943750d59f8a0d7e1c1a7bc7513748bb696b11ae506820ba2f03c7ceeb81fd1aba7f51a6fe9adc069643a4a773add34cda67433a03b4ccaf7844f900f22b4

  • memory/1584-177-0x00000000743A0000-0x000000007494B000-memory.dmp

    Filesize

    5.7MB

  • memory/1584-167-0x00000000743A0000-0x000000007494B000-memory.dmp

    Filesize

    5.7MB

  • memory/1584-0-0x00000000743A1000-0x00000000743A2000-memory.dmp

    Filesize

    4KB

  • memory/1584-1-0x00000000743A0000-0x000000007494B000-memory.dmp

    Filesize

    5.7MB

  • memory/1584-2-0x00000000743A0000-0x000000007494B000-memory.dmp

    Filesize

    5.7MB

  • memory/2756-346-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2756-345-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2756-343-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB