Overview

overview

10

Static

static

10

gta_betabu...31.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    56s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-03-2024 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gta_betabuild 1.31.exe

  • Size

    117KB

  • MD5

    0d8a7a20410bfea30a7d32fa86be00fa

  • SHA1

    10f3067f1e716cc78fcf4b66eb03f853d81276ad

  • SHA256

    d1df4ce9ca2c33cc2afbf8816788c1cbfd58e352a18ce9f76242b7aa53a109dd

  • SHA512

    b1d0ed93247eb03b7fc3b29002b51ae3d966fc186b8d9007d16c78ec7e3eb69087b8b273785947def6ba013eac5d93b13f5244a25b5d4150cdd07b8ad74c9092

  • SSDEEP

    768:ESivdjHrddilbVauou79EoJWqnIBXBxmHjBSkGu2yPo+LGZYebFDat26RNSgNORM:ErpHmVauo3tTxkDj6CSYebFoTf4K

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

37.120.141.155

Mutex

modtool_gta

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    22914

  • startup_name

    WinSCVUpdater

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gta_betabuild 1.31.exe
    "C:\Users\Admin\AppData\Local\Temp\gta_betabuild 1.31.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Users\Admin\AppData\Roaming\XenoManager\gta_betabuild 1.31.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\gta_betabuild 1.31.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "WinSCVUpdater" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAF1C.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:1032
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2904
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4924

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gta_betabuild 1.31.exe.log
      Filesize

      226B

      MD5

      1294de804ea5400409324a82fdc7ec59

      SHA1

      9a39506bc6cadf99c1f2129265b610c69d1518f7

      SHA256

      494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

      SHA512

      033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
      Filesize

      10KB

      MD5

      77375d17a8241aa06af550428e413cee

      SHA1

      ec13b23081e0a9cd92ae4d944deea5f5e0f036e6

      SHA256

      45d3a9dec1354dbdaa71102c669564b4ed52f1981fd657550f6c1babc20982eb

      SHA512

      64ba1637e51aa95f61c25c46fe20e597bbcae509cb0f1cd71bf26aa1841b2bb4e06e2941a25cf94addeff2f097d84feeb7fbfbb05729f3cc921dd076e95da56c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpAF1C.tmp
      Filesize

      1KB

      MD5

      fe3648d8002bb654eda4926f93f9ea4b

      SHA1

      3b8f892d5ae9a408c712def8ce1bb25523e4625d

      SHA256

      77a126ec571c08f6456c09854cb3daa0d4f299cf581572c9c4b4c291986d0810

      SHA512

      79ba41f758ae055131ac41a9c50e9e88bbef044c6c4757f4c917aa91ad4f5a3c08aee52bbeebc770255aaed24d6feed325bbdcb1fbd0a6d07a35ddfd1f3ba80d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XenoManager\gta_betabuild 1.31.exe
      Filesize

      117KB

      MD5

      0d8a7a20410bfea30a7d32fa86be00fa

      SHA1

      10f3067f1e716cc78fcf4b66eb03f853d81276ad

      SHA256

      d1df4ce9ca2c33cc2afbf8816788c1cbfd58e352a18ce9f76242b7aa53a109dd

      SHA512

      b1d0ed93247eb03b7fc3b29002b51ae3d966fc186b8d9007d16c78ec7e3eb69087b8b273785947def6ba013eac5d93b13f5244a25b5d4150cdd07b8ad74c9092

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XenoManager\gta_betabuild 1.31.exe
      Filesize

      61KB

      MD5

      209bb412eafb898b3ead7d06d290c198

      SHA1

      676d806934d2faaba3dd5e1df14537199952f177

      SHA256

      e86f05181a9a11fe051ccc6e5f20347f4619b2869a3375eb08ce3b7b802a107f

      SHA512

      3386cea7d8ea082223570192de9bf1bfa9e82e6026ef009a20333316efb9e3dedd2811d839bb8d73c96b9f5580233878c7547a54f4aa3ee3caa629d746e86140

      Download Submit

    • memory/2360-32-0x00000000061C0000-0x0000000006236000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2360-31-0x0000000006310000-0x00000000064D2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2360-17-0x0000000005260000-0x0000000005270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-66-0x0000000007090000-0x0000000007122000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2360-65-0x00000000074F0000-0x0000000007A96000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2360-27-0x0000000005D50000-0x0000000005DB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2360-28-0x0000000074470000-0x0000000074C21000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2360-29-0x0000000005260000-0x0000000005270000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-30-0x0000000006040000-0x000000000613C000-memory.dmp

      Filesize

      1008KB

      Download

    • memory/2360-16-0x0000000074470000-0x0000000074C21000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2360-46-0x00000000057F0000-0x00000000057FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2360-33-0x0000000006240000-0x0000000006290000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2360-34-0x0000000006A10000-0x0000000006F3C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2360-35-0x0000000006530000-0x000000000654E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2360-37-0x0000000006770000-0x000000000680C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4472-0-0x0000000000F20000-0x0000000000F44000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4472-1-0x0000000074470000-0x0000000074C21000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4472-15-0x0000000074470000-0x0000000074C21000-memory.dmp

      Filesize

      7.7MB

      Download