Overview

overview

10

Static

static

xzw.exe

windows7-x64

10

xzw.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2022 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xzw.exe

  • Size

    872KB

  • MD5

    d156b1ffd7d387927ee88491a26ccae6

  • SHA1

    15764f67963a0e70f2b310510b95021d7e4aa27d

  • SHA256

    18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679

  • SHA512

    0c213b94f86e49dfad8aed263ef11f5c24b9597591ae7f37b6451f513c1451f603c27676e547809976f636c86d2650fe12c988cdf2cea5ee6843612583ade283

Score
10/10
chinese_generic_botnetgh0stratbotnetratupx

Malware Config

Signatures

  • Generic Chinese Botnet

    A botnet originating from China which is currently unnamed publicly.

    botnetchinese_generic_botnet
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Chinese Botnet payload 3 IoCs
    botnet
  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\xzw.exe
    "C:\Users\Admin\AppData\Local\Temp\xzw.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1508
  • C:\Program Files (x86)\Msemswe.exe
    "C:\Program Files (x86)\Msemswe.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies data under HKEY_USERS
    PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Msemswe.exe
    Filesize

    872KB

    MD5

    d156b1ffd7d387927ee88491a26ccae6

    SHA1

    15764f67963a0e70f2b310510b95021d7e4aa27d

    SHA256

    18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679

    SHA512

    0c213b94f86e49dfad8aed263ef11f5c24b9597591ae7f37b6451f513c1451f603c27676e547809976f636c86d2650fe12c988cdf2cea5ee6843612583ade283

    Download Submit
  • C:\Program Files (x86)\Msemswe.exe
    Filesize

    872KB

    MD5

    d156b1ffd7d387927ee88491a26ccae6

    SHA1

    15764f67963a0e70f2b310510b95021d7e4aa27d

    SHA256

    18459ea969be44966cb9bdd8d65d93d91dc2635d952f02aee69d6e2eaec2c679

    SHA512

    0c213b94f86e49dfad8aed263ef11f5c24b9597591ae7f37b6451f513c1451f603c27676e547809976f636c86d2650fe12c988cdf2cea5ee6843612583ade283

    Download Submit
  • memory/740-4726-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/740-6111-0x00000000002F0000-0x00000000003F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/740-6113-0x0000000001FB0000-0x0000000002131000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/740-9495-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/740-9494-0x00000000002F0000-0x00000000003F0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/740-9490-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/740-9489-0x0000000002140000-0x0000000002251000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-497-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-469-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-467-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-468-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1508-499-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-500-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-471-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-472-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-473-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-474-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-475-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-476-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-477-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-478-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-479-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-480-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-481-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-482-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-483-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-484-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-485-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-486-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-487-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-488-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-489-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-490-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-491-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-492-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-493-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-494-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-495-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-465-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-496-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-498-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-501-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-466-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-470-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-502-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-503-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-504-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-505-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-506-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-507-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-508-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-509-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-510-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-511-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-512-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-513-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-514-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-515-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-516-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-517-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-518-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-519-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-520-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-521-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-522-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-523-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-524-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-525-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-1572-0x0000000000530000-0x0000000000630000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1508-1574-0x0000000001F30000-0x00000000020B1000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1508-4718-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-464-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-463-0x00000000020C0000-0x00000000021D1000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1508-56-0x0000000075010000-0x0000000075057000-memory.dmp
    Filesize

    284KB

    Download
  • memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1508-4719-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1508-4723-0x0000000000530000-0x0000000000630000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1508-5610-0x0000000000400000-0x0000000000527000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1508-9501-0x0000000003C60000-0x0000000003DAF000-memory.dmp
    Filesize

    1.3MB

    Download