Overview

overview

10

Static

static

3

Nw-Inst64.exe

windows7-x64

10

Nw-Inst64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nw-Inst64.exe

  • Size

    1.8MB

  • MD5

    3386e2abdfb0d9549bfba2cce6ca7689

  • SHA1

    ed6cb1b6d742f644ea2d1450c84a715d0b342d5c

  • SHA256

    6a4c87064969595078355dae42918fc19c3b71f422d6b5af9cee50a2af2d7b88

  • SHA512

    8f5af4ba0f985ef0b2ebb0a1518f07ad39feac4c355587fa4b1db093d8f763bff4484488a7692550fa458499af696dc2d09c54266a7a2ecfe1340de97eacf8de

  • SSDEEP

    49152:TRWp/PzUuHrGdkuxEiRMmWqf2/wzfUMrf5yfdoP+krDDjJOeZs:TEJPzXHrGdkuWJmWZ4CfdoPhXJOk

Score
10/10
dcratstormkittyxwormdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

89.39.121.169:9000

Attributes
  • Install_directory

    %AppData%

  • install_file

    RunShell.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 2 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nw-Inst64.exe
    "C:\Users\Admin\AppData\Local\Temp\Nw-Inst64.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1912
    • C:\Users\Admin\AppData\Local\Temp\Build.exe
      "C:\Users\Admin\AppData\Local\Temp\Build.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2376
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1084
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:484
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\WinnetCommonSvc\EF1rb20B7Zp52f5Q8odTU.vbe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\WinnetCommonSvc\ckg6ORaGrHhdrhoaDEIfOHU33jMcFfgqQelkNCXcy5pLINkbo7vRcc.bat" "
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\WinnetCommonSvc\fontWinnet.exe
            "C:\WinnetCommonSvc/fontWinnet.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JTvYqX5JSM.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2736
              • C:\Windows\system32\chcp.com
                chcp 65001
                7⤵
                  PID:1200
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  7⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:380
                • C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe
                  "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\System.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Build.exe
      Filesize

      250KB

      MD5

      b8f3934b55afbaa069717cd2e2eda6dd

      SHA1

      b33071c576f2637bd679002f01ca68e4df5112ec

      SHA256

      7cd58601d62de54c16bf279d2eb477a0e5b85f62cbe387268c1bec578db2a1e3

      SHA512

      2bab25ed6f190e56a96986400e5004956d44e3c9fe6e95e0b6540e503ad232ed3c08c85aaf3926a7bab3041fdbe64e363785c07fce9c011fc09abf2c39fde0c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      Filesize

      2.2MB

      MD5

      730239632db99d16b9f2656950408bcc

      SHA1

      ae877e836becf0b7727cf61c0277446c1c5ed381

      SHA256

      6dbcdb70833bb9ac5656887e6eae082ade4d197bcf6516c70e10ab196a23d292

      SHA512

      bd3b2973c54ee9754f19ef5eba73d9252de285c5d574611b01db0ea3f0c3c145686e319dc2a9f6b8aff94728eb1bfb8485a98152175cca5deed52b6318c16da5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JTvYqX5JSM.bat
      Filesize

      187B

      MD5

      6995ff48b3be5483487932dfadd47b8c

      SHA1

      ff4239be264797723ce3f5ae9f13792d01bc72d7

      SHA256

      8dace7731db3884f5862332b6ec50a3bbab0ff150f527fb97f7aaf4a698658cd

      SHA512

      cfc53be1d82d7db0357b47e441ac325be3f50ea267d50b41fa4f000dd8f349acc73586882bc219951ed86dc7ec70f22e8ca6805e6e5a34a65229f9ba28ebe44d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      Filesize

      64KB

      MD5

      31d745f5009eeda2da51b2d05d9711c5

      SHA1

      26c27b236bed8cb2046acddcc1c7d7b642b7c610

      SHA256

      37330d19e9479d225bf3934cf1b7bb233adc6bf0c8c876f181b814759d7c0b0f

      SHA512

      8319478d1ef266243e26592edbef9acbb07eb6de059043981e7f824424501691d41eef4736f6fe05e7ffc718ed0133489d22bd850c7a6773f7f50bf34207da4b

      Download Submit

    • C:\WinnetCommonSvc\EF1rb20B7Zp52f5Q8odTU.vbe
      Filesize

      247B

      MD5

      8fbc46f9794e1b89929cd710e53f0459

      SHA1

      15453a386f1c94b5ea4cd0ec41aa3c79c5dd2f54

      SHA256

      aaa6ca00879bea0f370824f57a72071aea49ae438ad2abb3eb4c9faddbab3d86

      SHA512

      b9fe28c4b771eae1f2261e4e17ec9e6d6055e17a5a2a5a32f8ecc7aaba9cf73f14e89ffafcc3455ed57cfa48fdde6d393630f585349f8ce4d2302543f323dc9b

      Download Submit

    • C:\WinnetCommonSvc\ckg6ORaGrHhdrhoaDEIfOHU33jMcFfgqQelkNCXcy5pLINkbo7vRcc.bat
      Filesize

      89B

      MD5

      f2c017fa853e79d1fc9f0ef254fbd9b7

      SHA1

      911039790cbad8fd3d7ff7d5dd3ed0099adc4ed9

      SHA256

      8848856354f6c99d5821c08136a03c75597f43dbfe1f8475998db4b19e833b13

      SHA512

      ec1af3b307d7c7d30011ef7a9d0d1b7c53f15cdc7f028163fa40db3711e9d83271dc4a089160d9c9a6b4687ddd87b0cd6fd5bda2e375a080c8d0a6badc4885ca

      Download Submit

    • \WinnetCommonSvc\fontWinnet.exe
      Filesize

      1.9MB

      MD5

      a5696185d5f9c88887e304e46944a366

      SHA1

      dd3daef6d70edcfbff6e58a123a25e212534941f

      SHA256

      3672ce6a54d5f04368c85ca8d46b2f0d67b548d05703bb14cf3492dc21fff8da

      SHA512

      9dadc5dfec936039b09aeed6c49a58cbe1162a9939283efa27d8660ea8aeeafc28d246ddf4270df93d89af15822d1f8b4aebc8d74ba040969753975013b3d579

      Download Submit

    • memory/1912-22-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1912-14-0x0000000001090000-0x00000000010A6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1912-70-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2212-73-0x00000000009D0000-0x0000000000BBC000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2376-21-0x0000000000BB0000-0x0000000000BF4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2616-1-0x0000000001330000-0x0000000001508000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2616-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2616-19-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2788-40-0x0000000000540000-0x000000000055C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2788-44-0x0000000000520000-0x000000000052C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2788-46-0x0000000000530000-0x000000000053E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2788-48-0x0000000002180000-0x000000000218C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2788-42-0x0000000002160000-0x0000000002178000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2788-38-0x0000000000510000-0x000000000051E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2788-36-0x0000000000A70000-0x0000000000C5C000-memory.dmp

      Filesize

      1.9MB

      Download