Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 17:28

General

  • Target

    matrix.exe

  • Size

    7.1MB

  • MD5

    11b902db9f1d4dec6a2c416492a3a038

  • SHA1

    1443ee1ca3d14d2bde269c63d33d76a958674daa

  • SHA256

    a816679c8a1f078c6ed23ed1cdbd5afe58c4561c0a532d54e82f473fbb9af19e

  • SHA512

    aee89808a6ee779b02514dbf30adfe5dea09cf4aeccfe9dab04b9f5162c3896f7f3a9ff29f0fa7abe132156b354f4465445c16b515faf2079b5ab11225da853a

  • SSDEEP

    98304:4f7DWu05E8BLHISMHtdTeMCL52PAeZ1cxhZgiIPMpbUteXfb4RbkRZciV6SpAJDz:ioEeB5mhZ1sbpTX0RbwRpAJDv/

Malware Config

Extracted

Family

xworm

Version

5.0

C2

fat-pads.gl.at.ply.gg:35059

Mutex

9AxQwGpimVT3I78A

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

fat-pads.gl.at.ply.gg:35059

Mutex

e564aa028dc627deeaa119b78ed54d5e

Attributes
  • reg_key

    e564aa028dc627deeaa119b78ed54d5e

  • splitter

    Y262SUCZ4UJJ

Signatures

  • Detect Xworm Payload 4 IoCs
  • Njrat family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\matrix.exe
    "C:\Users\Admin\AppData\Local\Temp\matrix.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Users\Admin\AppData\Local\Temp\Built.exe
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2816
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:940
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:608
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boost'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:588
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boost'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1532
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\Admin\AppData\Roaming\boost"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1208
    • C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Users\Admin\AppData\Local\Temp\dllhost.exe
        "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:912
    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe
      "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\system32\cmd.exe
        "cmd" /c ipconfig /all
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\system32\ipconfig.exe
          ipconfig /all
          4⤵
          • Gathers network information
          PID:1552
      • C:\Windows\system32\cmd.exe
        "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2132
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2944 -s 1152
        3⤵
        • Loads dropped DLL
        PID:1260
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {47FFD669-77E2-4861-8BC9-8C55037E00FC} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Roaming\boost
      C:\Users\Admin\AppData\Roaming\boost
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1612
    • C:\Users\Admin\AppData\Roaming\boost
      C:\Users\Admin\AppData\Roaming\boost
      2⤵
      • Executes dropped EXE
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe

    Filesize

    800KB

    MD5

    02c70d9d6696950c198db93b7f6a835e

    SHA1

    30231a467a49cc37768eea0f55f4bea1cbfb48e2

    SHA256

    8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

    SHA512

    431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb

  • C:\Users\Admin\AppData\Local\Temp\Payload.exe

    Filesize

    55KB

    MD5

    49550e5c3979b41adc5f160884ea1438

    SHA1

    7dcbbbd74bff8e991e0c517bfb2e4552553e7d8d

    SHA256

    2206884a8a62ba3b46c973f1131f807282eab756da08f7903b60954081ed9406

    SHA512

    d7082b81c74c8b41b163140f4273df30a5b12d7b7671d061ca7d77b73de64cec2845fb4eb78fc937e7692148541da67ec7a4eb2f09b4cf495fbcf9a740736d25

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe

    Filesize

    40KB

    MD5

    0bdc464106c1752b5016f399287e8e09

    SHA1

    8683d5b9902e7317f292e594c0d6c73f61a5b2fc

    SHA256

    e315e0c86b7692bb30acb552bb9a1217b2b5fd8efc4d39f91de83531717c9e00

    SHA512

    8291b18b4f3e6f4ab9bb31c402aa96f4b1d1702e1c2c52858d8e675a9e04542a17ef9bde3e809922bfb2dad99e662326735caa5f79b134abf96f11bd03d3c151

  • C:\Users\Admin\AppData\Local\Temp\_MEI21842\python311.dll

    Filesize

    1.6MB

    MD5

    bb46b85029b543b70276ad8e4c238799

    SHA1

    123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

    SHA256

    72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

    SHA512

    5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    6f489488a6a0fd53516d954644bb7cc3

    SHA1

    26cdc6110e4d7f2b3b2afd67d517d3115b53fcf8

    SHA256

    ea2153ce267052ede47c8c7d6cbe5e9c920ffdc99e80d8c51b1dbca43f936fb2

    SHA512

    59f8be4f7398e950bf6ef15e2d91d96dd54e87a642491f622dee37628ff68e0cd0173a58f36c3ecac8abc29499d1081bb7bd5ebde4909ac24287e1011e89a531

  • \Users\Admin\AppData\Local\Temp\Built.exe

    Filesize

    6.9MB

    MD5

    ba5e8293e3f5df06609957574ebda500

    SHA1

    04b5fb00ae26fcd5804e5b8829f90a58d7bb6c98

    SHA256

    bdc7f8370f86a4e26e64289f4ec98b47280a583acdb00878b08cb06b8d6c7f72

    SHA512

    a6ba9cb1063aeec75edda47f671bd69766f1922ce76519a92439a2d7c47b443e4ef94b77394c0352386166beed47a63e3c33f77eb52f7f7bc428b3788f864d44

  • memory/608-71-0x000000001B230000-0x000000001B512000-memory.dmp

    Filesize

    2.9MB

  • memory/608-72-0x0000000002220000-0x0000000002228000-memory.dmp

    Filesize

    32KB

  • memory/940-64-0x000000001B320000-0x000000001B602000-memory.dmp

    Filesize

    2.9MB

  • memory/940-65-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

    Filesize

    32KB

  • memory/1612-125-0x0000000000040000-0x0000000000050000-memory.dmp

    Filesize

    64KB

  • memory/2116-58-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

    Filesize

    9.9MB

  • memory/2116-5-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

    Filesize

    9.9MB

  • memory/2116-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

    Filesize

    4KB

  • memory/2116-1-0x0000000001030000-0x0000000001752000-memory.dmp

    Filesize

    7.1MB

  • memory/2332-128-0x0000000000800000-0x0000000000810000-memory.dmp

    Filesize

    64KB

  • memory/2816-45-0x000007FEF65E0000-0x000007FEF6BC8000-memory.dmp

    Filesize

    5.9MB

  • memory/2936-42-0x0000000000010000-0x0000000000020000-memory.dmp

    Filesize

    64KB

  • memory/2944-57-0x0000000000010000-0x00000000000DE000-memory.dmp

    Filesize

    824KB