Overview

overview

10

Static

static

3

515b7bd886...c7.exe

windows7-x64

10

515b7bd886...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe

  • Size

    15.8MB

  • MD5

    f192b4e9cf07850041e19ea07cd984e3

  • SHA1

    061a917e9691648e00a7f91ff82ae1c0e8da248b

  • SHA256

    515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7

  • SHA512

    19b9c0c214534d23e134fb29b6b1091ecb8c83f64df1e28219748a61d96bbef31141bb0e8237a5a96ac8bed6c233da6194c719f2c1470155d0a8ad3c194a2f5a

  • SSDEEP

    393216:bZ81TpBxAxlcciQ2RRkaZECMV8ElgSgq4nZ:bpB2jk3Vvlh6

Score
10/10
njratvjw0rmxwormhackedevasionexecutionpersistencerattrojanworm

Malware Config

Extracted

Family

xworm

C2

192.168.1.8:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClienamrt.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

192.168.1.8:7788

Mutex

66d1b8410b347e24d21ce9ad910a4de7

Attributes
  • reg_key

    66d1b8410b347e24d21ce9ad910a4de7

  • splitter

    |'|'|

Signatures

  • Detect Xworm Payload 2 IoCs
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Detects Windows executables referencing non-Windows User-Agents 4 IoCs
  • Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs
  • Detects executables using Telegram Chat Bot 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe
    "C:\Users\Admin\AppData\Local\Temp\515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Users\Admin\AppData\Roaming\Outputbinded.exe
      "C:\Users\Admin\AppData\Roaming\Outputbinded.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Roaming\XClientamor.exe
        "C:\Users\Admin\AppData\Roaming\XClientamor.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClientamor.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1656
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClientamor.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1924
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClienamrt.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:716
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClienamrt.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:868
    • C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
      "C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2996 -s 728
        3⤵
          PID:2152
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\amr.js"
        2⤵
          PID:2652
        • C:\Users\Admin\AppData\Roaming\Server.exe
          "C:\Users\Admin\AppData\Roaming\Server.exe"
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Drops autorun.inf file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2368
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE
            3⤵
            • Modifies Windows Firewall
            PID:1340
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\myronworm.vbs"
          2⤵
          • Drops startup file
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\System32\wscript.exe
            "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\myronworm.vbs"
            3⤵
            • Drops startup file
            • Adds Run key to start application
            PID:2784

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Replication Through Removable Media

      1
      T1091

      Execution

      Command and Scripting Interpreter

      2
      T1059

      JavaScript

      1
      T1059.007

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Replication Through Removable Media

      1
      T1091

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        Filesize

        7KB

        MD5

        fa4a28d3103bac83663d2ea324587833

        SHA1

        64374b14403a97f9154fd727a27baf124a6fcfb4

        SHA256

        04b93fdb2b8db661472bbdcf340c7ee5c78e7939b75d8339ced85aa82a3bf3b4

        SHA512

        76ddcaf314b5473366ed07d5bd79c205c605580e15b4948d49fdbbd46d2a831012316b8022a1abafddf3577c831446c4fae11ab2b086f17df16fbc88ecce306d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Outputbinded.exe
        Filesize

        686KB

        MD5

        5d692aa620cbca52d380150edcf51377

        SHA1

        bfaaf5ea9910324e3d9f3d95c5a8ca4d94924d86

        SHA256

        65302dc08b26b59a91943d82c7c5b79a017164bd7623576cbefcb9851098bf3c

        SHA512

        0c3e90f6e169a9876f4095774d6fec1b76bc0e23c00b254610ed58f4238bcd0547c7f8974d171587783659752c415267cb4d2499f1a6ac18ed7760f78103bc67

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Server.exe
        Filesize

        242KB

        MD5

        2355cb5fc18f1e7a0cffa302d1bfebff

        SHA1

        3703ec0c5299c2861d05f92b3cf16191b982d38a

        SHA256

        d4550f31de4c62eb2012f9bb984a00ab0e8d865098322dcd4d5db94b7107b986

        SHA512

        256700d2605dc4bbdac8b72470b2e24992da10572b564a478553bd7d5bea5e91f488ae46fe5d42320a558d6d9c3b43134c54998c40a4c690e29e5dd73bae3cab

        Download Submit

      • C:\Users\Admin\AppData\Roaming\XClientamor.exe
        Filesize

        260KB

        MD5

        9b839a50e55b18129f81629c61f912f7

        SHA1

        71e1feea8c12bd8b2501bf065d56fef8eae0517c

        SHA256

        92a21332ad995d61804e80d50abd6571a6faf3932ad574ff23939e84362485ae

        SHA512

        abcb038106c8c771c39a66f1f79885619a0a031a567d2a84acfb848545c8cd12dc1e64baa14f1151229de2abaf68fc023f6455cb47d6b29ec90832d0f2de9971

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
        Filesize

        14.9MB

        MD5

        56ccb739926a725e78a7acf9af52c4bb

        SHA1

        5b01b90137871c3c8f0d04f510c4d56b23932cbc

        SHA256

        90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

        SHA512

        2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\amr.js
        Filesize

        3KB

        MD5

        e58364ddc8daeac92739f0b2c7547f9c

        SHA1

        ae2aa6f9cb8f4627d83c6158571689d596294cfe

        SHA256

        d03047394e431fbc6d68c74d2ac5348801ff1c4d7d3e12b1e3d873474c3cdf30

        SHA512

        d3e710f1c70883d5576ecdfec705c8edc671c533ebd353048c02d3bc8d9499a18d62c1cee8532d9c9ce325ca4966e53b40322e428cc0b20070971b974f8a673b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\myronworm.vbs
        Filesize

        9KB

        MD5

        120aaed75e85209923d8fd9f5718d3d5

        SHA1

        ea7d8bdceeb399c221743089cb0484863775e31d

        SHA256

        30c959f6c7c85698d06513048ca92f5615260fb877bb17be0baa24b164575409

        SHA512

        deed7f6cc041e2df572ee921f6ee31f332ccfc248e365a9f586ac1fb5a9864e68b7917632544f5fb33b48289d1607017d95cac281d0908671f5469fe84b235a8

        Download Submit

      • memory/1656-47-0x000000001B650000-0x000000001B932000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1656-48-0x00000000021D0000-0x00000000021D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1724-7-0x0000000000D40000-0x0000000000DF0000-memory.dmp

        Filesize

        704KB

        Download

      • memory/1724-22-0x0000000000D10000-0x0000000000D20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1724-42-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1924-54-0x000000001B690000-0x000000001B972000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1924-55-0x0000000002350000-0x0000000002358000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2412-0-0x000007FEF59E3000-0x000007FEF59E4000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2412-1-0x0000000000260000-0x000000000123E000-memory.dmp

        Filesize

        15.9MB

        Download

      • memory/2608-14-0x0000000000280000-0x00000000002C6000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2996-41-0x00000000000E0000-0x0000000000FC8000-memory.dmp

        Filesize

        14.9MB

        Download