Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 17:28
Static task
static1
Behavioral task
behavioral1
Sample
matrix.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
matrix.exe
Resource
win10v2004-20241007-en
General
-
Target
matrix.exe
-
Size
7.1MB
-
MD5
11b902db9f1d4dec6a2c416492a3a038
-
SHA1
1443ee1ca3d14d2bde269c63d33d76a958674daa
-
SHA256
a816679c8a1f078c6ed23ed1cdbd5afe58c4561c0a532d54e82f473fbb9af19e
-
SHA512
aee89808a6ee779b02514dbf30adfe5dea09cf4aeccfe9dab04b9f5162c3896f7f3a9ff29f0fa7abe132156b354f4465445c16b515faf2079b5ab11225da853a
-
SSDEEP
98304:4f7DWu05E8BLHISMHtdTeMCL52PAeZ1cxhZgiIPMpbUteXfb4RbkRZciV6SpAJDz:ioEeB5mhZ1sbpTX0RbwRpAJDv/
Malware Config
Extracted
xworm
5.0
fat-pads.gl.at.ply.gg:35059
9AxQwGpimVT3I78A
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
Victim
fat-pads.gl.at.ply.gg:35059
e564aa028dc627deeaa119b78ed54d5e
-
reg_key
e564aa028dc627deeaa119b78ed54d5e
-
splitter
Y262SUCZ4UJJ
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/files/0x000b000000016cab-35.dat family_xworm behavioral1/memory/2936-42-0x0000000000010000-0x0000000000020000-memory.dmp family_xworm behavioral1/memory/1612-125-0x0000000000040000-0x0000000000050000-memory.dmp family_xworm behavioral1/memory/2332-128-0x0000000000800000-0x0000000000810000-memory.dmp family_xworm -
Njrat family
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 940 powershell.exe 608 powershell.exe 588 powershell.exe 1532 powershell.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\boost.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e564aa028dc627deeaa119b78ed54d5e.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e564aa028dc627deeaa119b78ed54d5e.exe dllhost.exe -
Executes dropped EXE 9 IoCs
pid Process 2184 Built.exe 2936 XClient.exe 2816 Built.exe 3032 Payload.exe 2944 BootstrapperV1.23.exe 1212 Process not Found 912 dllhost.exe 1612 boost 2332 boost -
Loads dropped DLL 12 IoCs
pid Process 2116 matrix.exe 2184 Built.exe 2816 Built.exe 2116 matrix.exe 2920 Process not Found 1212 Process not Found 1260 WerFault.exe 1260 WerFault.exe 1260 WerFault.exe 1260 WerFault.exe 3032 Payload.exe 1260 WerFault.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\boost = "C:\\Users\\Admin\\AppData\\Roaming\\boost" XClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\e564aa028dc627deeaa119b78ed54d5e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e564aa028dc627deeaa119b78ed54d5e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe -
resource yara_rule behavioral1/files/0x00050000000195b1-40.dat upx behavioral1/memory/2816-45-0x000007FEF65E0000-0x000007FEF6BC8000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1552 ipconfig.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 940 powershell.exe 608 powershell.exe 588 powershell.exe 1532 powershell.exe 2936 XClient.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2936 XClient.exe Token: SeIncreaseQuotaPrivilege 2132 WMIC.exe Token: SeSecurityPrivilege 2132 WMIC.exe Token: SeTakeOwnershipPrivilege 2132 WMIC.exe Token: SeLoadDriverPrivilege 2132 WMIC.exe Token: SeSystemProfilePrivilege 2132 WMIC.exe Token: SeSystemtimePrivilege 2132 WMIC.exe Token: SeProfSingleProcessPrivilege 2132 WMIC.exe Token: SeIncBasePriorityPrivilege 2132 WMIC.exe Token: SeCreatePagefilePrivilege 2132 WMIC.exe Token: SeBackupPrivilege 2132 WMIC.exe Token: SeRestorePrivilege 2132 WMIC.exe Token: SeShutdownPrivilege 2132 WMIC.exe Token: SeDebugPrivilege 2132 WMIC.exe Token: SeSystemEnvironmentPrivilege 2132 WMIC.exe Token: SeRemoteShutdownPrivilege 2132 WMIC.exe Token: SeUndockPrivilege 2132 WMIC.exe Token: SeManageVolumePrivilege 2132 WMIC.exe Token: 33 2132 WMIC.exe Token: 34 2132 WMIC.exe Token: 35 2132 WMIC.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeIncreaseQuotaPrivilege 2132 WMIC.exe Token: SeSecurityPrivilege 2132 WMIC.exe Token: SeTakeOwnershipPrivilege 2132 WMIC.exe Token: SeLoadDriverPrivilege 2132 WMIC.exe Token: SeSystemProfilePrivilege 2132 WMIC.exe Token: SeSystemtimePrivilege 2132 WMIC.exe Token: SeProfSingleProcessPrivilege 2132 WMIC.exe Token: SeIncBasePriorityPrivilege 2132 WMIC.exe Token: SeCreatePagefilePrivilege 2132 WMIC.exe Token: SeBackupPrivilege 2132 WMIC.exe Token: SeRestorePrivilege 2132 WMIC.exe Token: SeShutdownPrivilege 2132 WMIC.exe Token: SeDebugPrivilege 2132 WMIC.exe Token: SeSystemEnvironmentPrivilege 2132 WMIC.exe Token: SeRemoteShutdownPrivilege 2132 WMIC.exe Token: SeUndockPrivilege 2132 WMIC.exe Token: SeManageVolumePrivilege 2132 WMIC.exe Token: 33 2132 WMIC.exe Token: 34 2132 WMIC.exe Token: 35 2132 WMIC.exe Token: SeDebugPrivilege 2944 BootstrapperV1.23.exe Token: SeDebugPrivilege 608 powershell.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 2936 XClient.exe Token: SeDebugPrivilege 912 dllhost.exe Token: 33 912 dllhost.exe Token: SeIncBasePriorityPrivilege 912 dllhost.exe Token: SeDebugPrivilege 1612 boost Token: 33 912 dllhost.exe Token: SeIncBasePriorityPrivilege 912 dllhost.exe Token: 33 912 dllhost.exe Token: SeIncBasePriorityPrivilege 912 dllhost.exe Token: 33 912 dllhost.exe Token: SeIncBasePriorityPrivilege 912 dllhost.exe Token: 33 912 dllhost.exe Token: SeIncBasePriorityPrivilege 912 dllhost.exe Token: 33 912 dllhost.exe Token: SeIncBasePriorityPrivilege 912 dllhost.exe Token: 33 912 dllhost.exe Token: SeIncBasePriorityPrivilege 912 dllhost.exe Token: 33 912 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2936 XClient.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2184 2116 matrix.exe 30 PID 2116 wrote to memory of 2184 2116 matrix.exe 30 PID 2116 wrote to memory of 2184 2116 matrix.exe 30 PID 2116 wrote to memory of 2936 2116 matrix.exe 31 PID 2116 wrote to memory of 2936 2116 matrix.exe 31 PID 2116 wrote to memory of 2936 2116 matrix.exe 31 PID 2184 wrote to memory of 2816 2184 Built.exe 32 PID 2184 wrote to memory of 2816 2184 Built.exe 32 PID 2184 wrote to memory of 2816 2184 Built.exe 32 PID 2116 wrote to memory of 3032 2116 matrix.exe 33 PID 2116 wrote to memory of 3032 2116 matrix.exe 33 PID 2116 wrote to memory of 3032 2116 matrix.exe 33 PID 2116 wrote to memory of 3032 2116 matrix.exe 33 PID 2116 wrote to memory of 2944 2116 matrix.exe 34 PID 2116 wrote to memory of 2944 2116 matrix.exe 34 PID 2116 wrote to memory of 2944 2116 matrix.exe 34 PID 2944 wrote to memory of 2484 2944 BootstrapperV1.23.exe 36 PID 2944 wrote to memory of 2484 2944 BootstrapperV1.23.exe 36 PID 2944 wrote to memory of 2484 2944 BootstrapperV1.23.exe 36 PID 2484 wrote to memory of 1552 2484 cmd.exe 38 PID 2484 wrote to memory of 1552 2484 cmd.exe 38 PID 2484 wrote to memory of 1552 2484 cmd.exe 38 PID 2936 wrote to memory of 940 2936 XClient.exe 39 PID 2936 wrote to memory of 940 2936 XClient.exe 39 PID 2936 wrote to memory of 940 2936 XClient.exe 39 PID 2944 wrote to memory of 3056 2944 BootstrapperV1.23.exe 41 PID 2944 wrote to memory of 3056 2944 BootstrapperV1.23.exe 41 PID 2944 wrote to memory of 3056 2944 BootstrapperV1.23.exe 41 PID 3056 wrote to memory of 2132 3056 cmd.exe 43 PID 3056 wrote to memory of 2132 3056 cmd.exe 43 PID 3056 wrote to memory of 2132 3056 cmd.exe 43 PID 2936 wrote to memory of 608 2936 XClient.exe 45 PID 2936 wrote to memory of 608 2936 XClient.exe 45 PID 2936 wrote to memory of 608 2936 XClient.exe 45 PID 2936 wrote to memory of 588 2936 XClient.exe 47 PID 2936 wrote to memory of 588 2936 XClient.exe 47 PID 2936 wrote to memory of 588 2936 XClient.exe 47 PID 2936 wrote to memory of 1532 2936 XClient.exe 49 PID 2936 wrote to memory of 1532 2936 XClient.exe 49 PID 2936 wrote to memory of 1532 2936 XClient.exe 49 PID 2944 wrote to memory of 1260 2944 BootstrapperV1.23.exe 51 PID 2944 wrote to memory of 1260 2944 BootstrapperV1.23.exe 51 PID 2944 wrote to memory of 1260 2944 BootstrapperV1.23.exe 51 PID 3032 wrote to memory of 912 3032 Payload.exe 52 PID 3032 wrote to memory of 912 3032 Payload.exe 52 PID 3032 wrote to memory of 912 3032 Payload.exe 52 PID 3032 wrote to memory of 912 3032 Payload.exe 52 PID 2936 wrote to memory of 1208 2936 XClient.exe 53 PID 2936 wrote to memory of 1208 2936 XClient.exe 53 PID 2936 wrote to memory of 1208 2936 XClient.exe 53 PID 1752 wrote to memory of 1612 1752 taskeng.exe 56 PID 1752 wrote to memory of 1612 1752 taskeng.exe 56 PID 1752 wrote to memory of 1612 1752 taskeng.exe 56 PID 1752 wrote to memory of 2332 1752 taskeng.exe 57 PID 1752 wrote to memory of 2332 1752 taskeng.exe 57 PID 1752 wrote to memory of 2332 1752 taskeng.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\matrix.exe"C:\Users\Admin\AppData\Local\Temp\matrix.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816
-
-
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\boost'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'boost'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "boost" /tr "C:\Users\Admin\AppData\Roaming\boost"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1208
-
-
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.23.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:1552
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2944 -s 11523⤵
- Loads dropped DLL
PID:1260
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {47FFD669-77E2-4861-8BC9-8C55037E00FC} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Roaming\boostC:\Users\Admin\AppData\Roaming\boost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Users\Admin\AppData\Roaming\boostC:\Users\Admin\AppData\Roaming\boost2⤵
- Executes dropped EXE
PID:2332
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
800KB
MD502c70d9d6696950c198db93b7f6a835e
SHA130231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA2568f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
-
Filesize
55KB
MD549550e5c3979b41adc5f160884ea1438
SHA17dcbbbd74bff8e991e0c517bfb2e4552553e7d8d
SHA2562206884a8a62ba3b46c973f1131f807282eab756da08f7903b60954081ed9406
SHA512d7082b81c74c8b41b163140f4273df30a5b12d7b7671d061ca7d77b73de64cec2845fb4eb78fc937e7692148541da67ec7a4eb2f09b4cf495fbcf9a740736d25
-
Filesize
40KB
MD50bdc464106c1752b5016f399287e8e09
SHA18683d5b9902e7317f292e594c0d6c73f61a5b2fc
SHA256e315e0c86b7692bb30acb552bb9a1217b2b5fd8efc4d39f91de83531717c9e00
SHA5128291b18b4f3e6f4ab9bb31c402aa96f4b1d1702e1c2c52858d8e675a9e04542a17ef9bde3e809922bfb2dad99e662326735caa5f79b134abf96f11bd03d3c151
-
Filesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56f489488a6a0fd53516d954644bb7cc3
SHA126cdc6110e4d7f2b3b2afd67d517d3115b53fcf8
SHA256ea2153ce267052ede47c8c7d6cbe5e9c920ffdc99e80d8c51b1dbca43f936fb2
SHA51259f8be4f7398e950bf6ef15e2d91d96dd54e87a642491f622dee37628ff68e0cd0173a58f36c3ecac8abc29499d1081bb7bd5ebde4909ac24287e1011e89a531
-
Filesize
6.9MB
MD5ba5e8293e3f5df06609957574ebda500
SHA104b5fb00ae26fcd5804e5b8829f90a58d7bb6c98
SHA256bdc7f8370f86a4e26e64289f4ec98b47280a583acdb00878b08cb06b8d6c7f72
SHA512a6ba9cb1063aeec75edda47f671bd69766f1922ce76519a92439a2d7c47b443e4ef94b77394c0352386166beed47a63e3c33f77eb52f7f7bc428b3788f864d44