Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 21:22
Static task
static1
Behavioral task
behavioral1
Sample
368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
Resource
win10v2004-20241007-en
General
-
Target
368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
-
Size
119KB
-
MD5
97f7e589999872e0847d256b24acc848
-
SHA1
23463d7f8075dff1047f776f80c989f1f435df42
-
SHA256
368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd
-
SHA512
fcb53a14a43cb9be8b8d8fd46faf6fed074c57106aef0c590efdc1edba5e20a84a63045eb8c612d1e440f7ca6a6fac7f4cd84010bba8ed4ce9a11384ba821185
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVg+:P5eznsjsguGDFqGZ2rDLT
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2876 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 3064 chargeable.exe 2756 chargeable.exe -
Loads dropped DLL 2 IoCs
pid Process 1584 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 1584 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe" 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3064 set thread context of 2756 3064 chargeable.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe Token: 33 2756 chargeable.exe Token: SeIncBasePriorityPrivilege 2756 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1584 wrote to memory of 3064 1584 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 31 PID 1584 wrote to memory of 3064 1584 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 31 PID 1584 wrote to memory of 3064 1584 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 31 PID 1584 wrote to memory of 3064 1584 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 31 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 3064 wrote to memory of 2756 3064 chargeable.exe 32 PID 2756 wrote to memory of 2876 2756 chargeable.exe 33 PID 2756 wrote to memory of 2876 2756 chargeable.exe 33 PID 2756 wrote to memory of 2876 2756 chargeable.exe 33 PID 2756 wrote to memory of 2876 2756 chargeable.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe"C:\Users\Admin\AppData\Local\Temp\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2876
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53e3aed1c0ba46c98a8ef6b3bec083998
SHA18df2ba67925f2c9580ead34fc567acd35c55b416
SHA2563fab079f84b987b1a1e305228bd9d2c7dc9a4033b62d3715073c009391fc949f
SHA512f0afb50c3ca2843e0dde736e5ce6d327ad2b70ae3e04c46c658878208dbd242059efc414f8eff22e9e6034a4a4948b34bdd612c5156c3d9a7fcbd38238066b29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c54b6ea143b6e025f2069d881da47b2e
SHA19a732e5dfc4db5ff930617bae7962d1c9f5abb4b
SHA256d6142977da917277c52024aa0d1ad424604e406d2350f5060070ec6800808112
SHA512d81237f7c98ab931bbf81e15ff833bd57048241ee374869ebd13655ba1e616d0fe4fb552996a8eddc7e43e6ef8d33b5d6c900d313697a57089fefa1f76f91699
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55b3fbb44b243c72f9f5e20ed69a9c821
SHA158bee5ad1af4126468d2a266b2e8c77eabd9a873
SHA256682ed5876a1aab05c7b26d2ae7f64baa8cd0d8baedb706f21c551788794d3a2e
SHA512b690d3fafc1a8caa1dc6578ac06bcee32a7e051a2024c6de8eb53dec9072d7b4255dc714fadc21f7af6e7686ad8e57412781e2cae3305f251fcc9b686bf4958c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53c2df53c268ef60e6ae00b832ae7df81
SHA1c7260e1872787a18ba1111241a94aae6abe53deb
SHA256705d83e0eabd5c9e6a630585b4d57b4a19ccacbbc42ca5fcf1e23765938357bf
SHA5125cbae1a6dd8690528f0673b961ed880f986526fb198484edebab49358bb5666e727aacf28dd40a090a017e462de4a650b9a8c8bc2170cdcb90bff67602f95491
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize252B
MD562ec42839c9210e074a37956d76ea3fb
SHA1f3e1c410a4a076065cf94f7faf885cad0ccb5baa
SHA256ca4222a439a8e4f06a853c0270249d567d153707be60b416ba20172ef946e5bd
SHA5127ede324d581db4e477e776ecf6e6c97866c0c7e880e1f85d91e2cb93d2d2a10aa31a88d78d8b5a7290e7a9d4a947c3d2c610860efed5705491931a1524625311
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
119KB
MD5e70d85eb725cddb20af75f913ce81402
SHA131a777c8d84c35cbbe876cfbc8f188f8e19940cb
SHA25662dfc98b2f75d1e2d56759d4d40dc8eb864dada625a655ef015d1dcc9c97e777
SHA512210943750d59f8a0d7e1c1a7bc7513748bb696b11ae506820ba2f03c7ceeb81fd1aba7f51a6fe9adc069643a4a773add34cda67433a03b4ccaf7844f900f22b4