Overview

overview

10

Static

static

3

GXBuilder.exe

windows7-x64

10

GXBuilder.exe

windows10-2004-x64

GXBuilder.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    27/04/2024, 07:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    GXBuilder.exe

  • Size

    12.6MB

  • MD5

    f9e4ae00290e5259c78ba11b4c851417

  • SHA1

    247b5c812136a40f85c106ca6441315b123f625e

  • SHA256

    34ab005b549534dba9a83d9346e1618a18ecee2c99a93079551634f9480b2b79

  • SHA512

    5dfce7ed791e0b44d218142d6075ecf009f186c57e02fcf5675945c2329058750cc308f8730fa0f0188b4291d9a63a8357a070c103431d32aadb345783c1ddb1

  • SSDEEP

    196608:/i76SDEa0mOCb5xm4J15iY5XBx9vjnWmf58eOt6dp2wGSECksB579u5gnynV:/imJa0mN/p1599vjnXVd9pl5Ggn

Score
10/10
xenoratzgratevasionpersistencepyinstallerrattrojan

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8913d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    45010

  • startup_name

    WindowsErrorHandler

Signatures

  • Detect ZGRat V1 34 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GXBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\GXBuilder.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAegB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGsAeABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AeAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAcABhACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
      "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2660
    • C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
      "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2612
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:8180
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
          • Drops file in Windows directory
          PID:3688
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop UsoSvc
        3⤵
        • Launches sc.exe
        PID:3512
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        3⤵
        • Launches sc.exe
        PID:3640
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop wuauserv
        3⤵
        • Launches sc.exe
        PID:3768
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop bits
        3⤵
        • Launches sc.exe
        PID:3912
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop dosvc
        3⤵
        • Launches sc.exe
        PID:4024
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4120
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4140
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Windows\system32\powercfg.exe
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4164
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe delete "GMDTJRUT"
        3⤵
        • Launches sc.exe
        PID:2084
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
        3⤵
        • Launches sc.exe
        PID:4512
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop eventlog
        3⤵
        • Launches sc.exe
        PID:4684
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start "GMDTJRUT"
        3⤵
        • Launches sc.exe
        PID:2284
    • C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
      "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
        "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9463.tmp" /F
          4⤵
          • Creates scheduled task(s)
          PID:8068
    • C:\Users\Admin\AppData\Roaming\KeyGeneratorTOP.exe
      "C:\Users\Admin\AppData\Roaming\KeyGeneratorTOP.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2620
      • C:\Users\Admin\AppData\Roaming\KeyGeneratorTOP.exe
        "C:\Users\Admin\AppData\Roaming\KeyGeneratorTOP.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2896
  • C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4872
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5152
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Drops file in Windows directory
        PID:5308
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      2⤵
      • Launches sc.exe
      PID:5188
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      2⤵
      • Launches sc.exe
      PID:5328
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      2⤵
      • Launches sc.exe
      PID:5428
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      2⤵
      • Launches sc.exe
      PID:5588
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      2⤵
      • Launches sc.exe
      PID:5668
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5760
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5780
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5808
    • C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5836
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:1844
      • C:\Windows\explorer.exe
        explorer.exe
        2⤵
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
      Filesize

      42KB

      MD5

      d499e979a50c958f1a67f0e2a28af43d

      SHA1

      1e5fa0824554c31f19ce01a51edb9bed86f67cf0

      SHA256

      bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

      SHA512

      668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\_MEI26202\python312.dll
      Filesize

      6.7MB

      MD5

      48ebfefa21b480a9b0dbfc3364e1d066

      SHA1

      b44a3a9b8c585b30897ddc2e4249dfcfd07b700a

      SHA256

      0cc4e557972488eb99ea4aeb3d29f3ade974ef3bcd47c211911489a189a0b6f2

      SHA512

      4e6194f1c55b82ee41743b35d749f5d92a955b219decacf9f1396d983e0f92ae02089c7f84a2b8296a3062afa3f9c220da9b7cd9ed01b3315ea4a953b4ecc6ce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9463.tmp
      Filesize

      1KB

      MD5

      7f673f709ab0e7278e38f0fd8e745cd4

      SHA1

      ac504108a274b7051e3b477bcd51c9d1a4a01c2c

      SHA256

      da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4

      SHA512

      e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132

      Download Submit

    • C:\Users\Admin\AppData\Roaming\KeyGeneratorTOP.exe
      Filesize

      6.9MB

      MD5

      bd0e4823fbfed11abb6994db7d0e6c09

      SHA1

      8694f5a67686070fc81445edebef8ead6c38aca8

      SHA256

      a83dc0d4764f8e41e061dd4e331f341b09cc994fc339fed2445692df7b98affe

      SHA512

      37f7e77407571c8f4ac298a4580610b0787e7cf8c8993e6816895a1caa71e0c4d97b72f525b9f054071fbf14bf9e87c48c67b39dcc01448213a995d036ff84e0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5PRYZNP9YROMCOOVYMT2.temp
      Filesize

      7KB

      MD5

      73d69128d52c52739d21d634f4f1b865

      SHA1

      841aa14a6c5c6939b2323e61307e9f1f3c609823

      SHA256

      76ad385bb37bc6fee7ad0b5272a9a43421f4fb2d9dca41844b831223ac38c282

      SHA512

      a5619b54fd4abfeb30106bfd95216f49ceb11de010534a483c84b623c098fab2a588bcaa47baa2d238a616f39e10f7e0d855a0094060f1a72ec00d72a46106c7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Ilkdt.exe
      Filesize

      191KB

      MD5

      e004a568b841c74855f1a8a5d43096c7

      SHA1

      b90fd74593ae9b5a48cb165b6d7602507e1aeca4

      SHA256

      d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

      SHA512

      402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

      Download Submit

    • \Users\Admin\AppData\Local\Temp\WinHostMgr.exe
      Filesize

      5.0MB

      MD5

      e222309197c5e633aa8e294ba4bdcd29

      SHA1

      52b3f89a3d2262bf603628093f6d1e71d9cc3820

      SHA256

      047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

      SHA512

      9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

      Download Submit

    • memory/2388-54-0x0000000000F40000-0x0000000000F50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2660-93-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-87-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-85-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-119-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-117-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-115-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-113-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-111-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-109-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-107-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-105-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-103-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-101-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-99-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-97-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-95-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-47-0x0000000000630000-0x000000000069C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/2660-91-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-89-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-58-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-83-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-81-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-79-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-77-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-75-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-73-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-70-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-68-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-66-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-64-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-62-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-60-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-56-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-55-0x0000000000630000-0x0000000000695000-memory.dmp

      Filesize

      404KB

      Download

    • memory/2660-29-0x0000000000130000-0x0000000000166000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2724-30-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4872-1671-0x0000000019EA0000-0x000000001A182000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/4872-1672-0x00000000001E0000-0x00000000001E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/8180-1664-0x000000001B660000-0x000000001B942000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/8180-1665-0x0000000001E20000-0x0000000001E28000-memory.dmp

      Filesize

      32KB

      Download