Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 21:25
Static task
static1
Behavioral task
behavioral1
Sample
368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
Resource
win10v2004-20241007-en
General
-
Target
368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
-
Size
119KB
-
MD5
97f7e589999872e0847d256b24acc848
-
SHA1
23463d7f8075dff1047f776f80c989f1f435df42
-
SHA256
368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd
-
SHA512
fcb53a14a43cb9be8b8d8fd46faf6fed074c57106aef0c590efdc1edba5e20a84a63045eb8c612d1e440f7ca6a6fac7f4cd84010bba8ed4ce9a11384ba821185
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVg+:P5eznsjsguGDFqGZ2rDLT
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2576 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 1940 chargeable.exe 2752 chargeable.exe -
Loads dropped DLL 2 IoCs
pid Process 2312 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 2312 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe" 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1940 set thread context of 2752 1940 chargeable.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe Token: 33 2752 chargeable.exe Token: SeIncBasePriorityPrivilege 2752 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1940 2312 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 30 PID 2312 wrote to memory of 1940 2312 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 30 PID 2312 wrote to memory of 1940 2312 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 30 PID 2312 wrote to memory of 1940 2312 368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe 30 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 1940 wrote to memory of 2752 1940 chargeable.exe 31 PID 2752 wrote to memory of 2576 2752 chargeable.exe 32 PID 2752 wrote to memory of 2576 2752 chargeable.exe 32 PID 2752 wrote to memory of 2576 2752 chargeable.exe 32 PID 2752 wrote to memory of 2576 2752 chargeable.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe"C:\Users\Admin\AppData\Local\Temp\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2576
-
-
-
Network
-
Remote address:8.8.8.8:53Requestcrl.microsoft.comIN AResponsecrl.microsoft.comIN CNAMEcrl.www.ms.akadns.netcrl.www.ms.akadns.netIN CNAMEa1363.dscg.akamai.neta1363.dscg.akamai.netIN A2.19.252.143a1363.dscg.akamai.netIN A2.19.252.157
-
GEThttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exeRemote address:2.19.252.143:80RequestGET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
ETag: 0x8DD1A40E476D877
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 346168ca-101e-0054-5d36-4c18bd000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 22 Dec 2024 21:26:01 GMT
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A184.25.193.234
-
GEThttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exeRemote address:184.25.193.234:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: ca00f663-501e-0037-2bf2-2b8546000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
Date: Sun, 22 Dec 2024 21:26:01 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV6de02c33.0
ms-cv-esi: CASMicrosoftCV6de02c33.0
X-RTag: RT
-
Remote address:8.8.8.8:53Requestdoddyfire.linkpc.netIN AResponsedoddyfire.linkpc.netIN A181.52.175.2
-
2.19.252.143:80http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlhttp368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe445 B 1.7kB 5 4
HTTP Request
GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crlHTTP Response
200 -
184.25.193.234:80http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlhttp368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe439 B 1.7kB 5 4
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200 -
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
8.8.8.8:53crl.microsoft.comdns368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe63 B 162 B 1 1
DNS Request
crl.microsoft.com
DNS Response
2.19.252.1432.19.252.157
-
8.8.8.8:53www.microsoft.comdns368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
184.25.193.234
-
66 B 82 B 1 1
DNS Request
doddyfire.linkpc.net
DNS Response
181.52.175.2
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa84e4bcc92aa5db735ab50711040cde
SHA1084f1cb4c47fdd3be1c833f58359ec8e16f61eb4
SHA2566d7205e794fde4219a62d9692ecddf612663a5cf20399e79be87b851fca4ca33
SHA512261a327ed1dffd4166e215d17bfd867df5b77017ba72c879fb2675cfb8eef48b374f6de41da0e51ba7adb9c0165bb2c831840603e873f6429963afd0cb93007f
-
Filesize
1KB
MD53e3aed1c0ba46c98a8ef6b3bec083998
SHA18df2ba67925f2c9580ead34fc567acd35c55b416
SHA2563fab079f84b987b1a1e305228bd9d2c7dc9a4033b62d3715073c009391fc949f
SHA512f0afb50c3ca2843e0dde736e5ce6d327ad2b70ae3e04c46c658878208dbd242059efc414f8eff22e9e6034a4a4948b34bdd612c5156c3d9a7fcbd38238066b29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5a7fbd11e745b97dbbb48161f696e39dd
SHA1410593ec85ab8bc1e470b2519707938412e211ed
SHA256fde70fb8d1e24c168189646f504d21d988a48685317dedb7e4fa6968340e4443
SHA51223453b34d195ddb54d98edf888081661ac7f71d22657abdd3011f140ed3d3f9a32a903cc2bd587dd98330584fb7b74facf5eb553ebb8b37639effe39fcb7e496
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e4eeb0757c8401bfb93a8983bce45eef
SHA1b7dd84b99d378769bb964b33800d171f7bf3f02c
SHA256e89ae9583ae222a3c45a77f2f87e3566111476cf42a4a4059f1f1fcd0077404d
SHA512158c732e9b7b538b1c06cbb8afaedb4b519825b91ce608f8fc982362b39cd17610062ff0dbe3fa2ac541c34405cc9ffdb0237529484e721abcfe8b9c48f18721
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD534db185b1cfc16f965fd4b01a589487b
SHA14f83ce8b371449ca0479c2ef67314a30f899d5e3
SHA2562bff777dec9b81045c27034713b4f014fe1681ab3c9fa7658462e32f81f9b353
SHA512d1b326fca8e057d7b74e9a2c78817a1b5a2adcad14f42a20fa7d74b947a1f1086d03177f18f704e3177df83ef265e9e1aacbe80f89b820706d01b71dcc135c8d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52f511a33add3618038b08ff9e98d6ef2
SHA1db7a8c29b0497eed2bc4c8b8a83998e991b38dd9
SHA25632accaf02a67fdd93094282bb380b45e5def83ebe4f5bc000f9e028837f4e004
SHA512481c2523ebe97ee46ba71ad2b31a80101ab9be4f5a16def7c4882efe7c704c5fcbed852eaac135a4e33d966b0e028236afbee72dc871f29403ef646ced015562
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize252B
MD5f679a43e3b11554013c3576ad920ea7c
SHA1fe608ffe22a20aa0bb2e888ba98f4182288ca1e9
SHA256e8e89434b211147cfaf26a93eb732ab74aafc4aabb8a23c0b96b60da2153d117
SHA5122e8acafe8ab6b4c4b83953fa4747f0421f47cb1fa22363af26de3fe76df39be49421be3843727c9672c62b433e56c8a61161d7513450dca5f6fca6b986a17d48
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
119KB
MD55662d52590ceb2b4f8b079a103b7b8da
SHA183252151f4619d069443d7601e5be488f04531f9
SHA25654655972e31238e1ea49c9f8f9cb93868a3c79b4f46687987868a1716301010a
SHA512c5586838314136add5bb3dbf802fc3fb5a6f1e270f5882295ee30a229877ddf3283c22105e18c0f0614aa0ec98b533749f2b02a81914de1e86bee47c5da59a62