Analysis
-
max time kernel
114s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 04:23
Static task
static1
Behavioral task
behavioral1
Sample
8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe
Resource
win10v2004-20241007-en
General
-
Target
8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe
-
Size
118KB
-
MD5
f770720a1144d0e0c46c0530b601d860
-
SHA1
384435b2abcf711571b656c5e500eb6f82616f96
-
SHA256
8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398
-
SHA512
20ffd3eed997998dffd24f3dbc6dd569d29bdd1fc3a2fc266ad3d52b17164e7af5b59b954641a81f4d09a97a0632076f0bf84a8d23e202b726037e8a9d8c074b
-
SSDEEP
1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLf3:P5eznsjsguGDFqGZ2rDLf3
Malware Config
Extracted
njrat
0.7d
neuf
doddyfire.linkpc.net:10000
e1a87040f2026369a233f9ae76301b7b
-
reg_key
e1a87040f2026369a233f9ae76301b7b
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2592 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2284 chargeable.exe 2724 chargeable.exe -
Loads dropped DLL 2 IoCs
pid Process 2132 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe 2132 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe" 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe" 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2284 set thread context of 2724 2284 chargeable.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chargeable.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe Token: 33 2724 chargeable.exe Token: SeIncBasePriorityPrivilege 2724 chargeable.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2284 2132 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe 31 PID 2132 wrote to memory of 2284 2132 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe 31 PID 2132 wrote to memory of 2284 2132 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe 31 PID 2132 wrote to memory of 2284 2132 8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe 31 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2284 wrote to memory of 2724 2284 chargeable.exe 32 PID 2724 wrote to memory of 2592 2724 chargeable.exe 33 PID 2724 wrote to memory of 2592 2724 chargeable.exe 33 PID 2724 wrote to memory of 2592 2724 chargeable.exe 33 PID 2724 wrote to memory of 2592 2724 chargeable.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe"C:\Users\Admin\AppData\Local\Temp\8cef03b0ba383d5e40062d57f03579936c8d1e0b42c6f480f4b93bcedb284398N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exeC:\Users\Admin\AppData\Roaming\confuse\chargeable.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2592
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa84e4bcc92aa5db735ab50711040cde
SHA1084f1cb4c47fdd3be1c833f58359ec8e16f61eb4
SHA2566d7205e794fde4219a62d9692ecddf612663a5cf20399e79be87b851fca4ca33
SHA512261a327ed1dffd4166e215d17bfd867df5b77017ba72c879fb2675cfb8eef48b374f6de41da0e51ba7adb9c0165bb2c831840603e873f6429963afd0cb93007f
-
Filesize
1KB
MD51ea27366e034eb9447a33ce639c01489
SHA1d12ed3e7e60c65ce90f0a58b9b9e47292caed923
SHA256788d210ef206a4d11b6b506bf52124ee03fca4e8a9389fad43772202a7e29452
SHA512e06f7443f0f7ca5db4411aa0718102c08068e95ec305b6b53c0b42a941a877de39f95c7e7514e69316b41a7ac19eaa6ccddc581fe475bdb842ec920691726e49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE
Filesize264B
MD5b84cee7c3a3256d791797776caf883fa
SHA1e4b5c563a6ff4cd4a658137157ffe80f3baae6fe
SHA256951995329b669ee7e7427dcd6922a2a993aacebf8afdee6b5a2f72379254efd4
SHA512132f34d5e7ae771e235fd24e8dd08a2a61c4af8d2d9772a5575a3b4f85287718ff1cc79acf22f29954699dc8eeda2c64602cb9a9d5684962d1e7a99f856d8b83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55615d2b8b45e0d21c39125a646249e22
SHA1234e2ecd80c4e2ea5401ef39481c39fcd09a7b58
SHA256afeecb937c0b4cc0f15de1f870b561a9fc5f3041cafdd08a6357267a2198130d
SHA51274369133fe5dc2b79c901a49c201bbae7f2ca0628b112d3be82333a2c2f1bc22453ad8d0ea4056d72bc63347778729b0ed887887019373e67e1392eafa490a99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a3cbfc863157e6ff9e11a729cbce354
SHA1857057d789842ee989590ca0da1279fff6a0ba74
SHA2566605999f0081a694a3e6de4a740adf633fa94ec4ed4632e01db44fb8df4f9d08
SHA512d2c3a4687af4145ed24a643f90166f383f1b5f3400fa2f63a90f285ddcdcdb118681ebd2898260f1a6289d3bda7c3cfef1e1d80b13828517dfe9d845cbd48f10
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5948c2c51c39522f2daade69e93f304c6
SHA18d821118926abbefa33d770c9246df97b15ea9a4
SHA256f66f1fc62f3afd1ea69646aa0d793e6c39a423665491cdaaa8e5c5296d99c68d
SHA512b84bccc00c23b86642ceb68710528eae1f0b74778a2ee9a110b233fbe372e76d3f12350fec04b14c9f9fb573e94b1b141f774425fefdd2924eb7e5d39d734973
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956
Filesize252B
MD519b458c28f1f6fa35bd8e09fdb8696f6
SHA1ed753e75b1fc36bcf21dbf0fc2b41316b3bfef68
SHA256c2060c86ec9f44412b81255919c6597d5346d854c6a2442590cc747a327e4e42
SHA5121b91c79b5eea3546681c251b13a9b9fda2c1c8d35f956192724decd35c992929bd9beb27e70ac5caec2f27f1282ed934b6c2c4ca590ff673d5af87b828a2a701
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
118KB
MD5718eb810e5ec7ee1a53bf193330a1691
SHA1f02a2dd0a6bcf7f7db8763a1be2a29b73ee68e10
SHA256a6048097136d7a51123c01c3c25f4a74f8a437cf811e0e5bbf59c7db06749f07
SHA512ffd8757c221b5702930772f9637305d7045ecab3dfb1d84f65ae49ecae8cd24ac37b9c370f71df5b7af2132c80b750efcaf9208992828fd75bd255b659b10a8d