Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 23:37
General
-
Target
Vape Launcher.rar
-
Size
18KB
-
MD5
2a2f0ec4d7927f2a6cacc44767a12388
-
SHA1
0ef4541bbff76920499bd37d8959f4d0f21bc90b
-
SHA256
186e1599e1ddb0030f0c4c514bf9a2158f12ebc29b3e1c86ffa34562599cf79c
-
SHA512
f4bb2fa1ad26f98e2e519da36a2092ec1bb354f1cfa7c231d84e1a649b6bc752ef8b95178d1413db59dddb7606f62990290471cc45c8425278ffb60cbdebf550
-
SSDEEP
384:0tmxT9fHe47EdINnygB0WKGrYMRSnYez1+rZ/OfVeraYDPvn/qSicvgDilq/RY:0tIR+478QyCzl0MFezOqVeraYDPv/ziM
Malware Config
Extracted
Family
xenorat
C2
127.0.0.1
Mutex
VapePatcher
Attributes
-
delay
5000
-
install_path
appdata
-
port
6666
-
startup_name
Minecraft Launcher
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation Vape Launcher.exe -
Executes dropped EXE 2 IoCs
pid Process 924 Vape Launcher.exe 3788 Vape Launcher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3228 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeRestorePrivilege 4348 7zG.exe Token: 35 4348 7zG.exe Token: SeSecurityPrivilege 4348 7zG.exe Token: SeSecurityPrivilege 4348 7zG.exe Token: SeDebugPrivilege 4964 taskmgr.exe Token: SeSystemProfilePrivilege 4964 taskmgr.exe Token: SeCreateGlobalPrivilege 4964 taskmgr.exe Token: SeSecurityPrivilege 4964 taskmgr.exe Token: SeTakeOwnershipPrivilege 4964 taskmgr.exe Token: SeBackupPrivilege 4404 svchost.exe Token: SeRestorePrivilege 4404 svchost.exe Token: SeSecurityPrivilege 4404 svchost.exe Token: SeTakeOwnershipPrivilege 4404 svchost.exe Token: 35 4404 svchost.exe Token: 33 4964 taskmgr.exe Token: SeIncBasePriorityPrivilege 4964 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4348 7zG.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe 4964 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2988 OpenWith.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 924 wrote to memory of 3788 924 Vape Launcher.exe 103 PID 924 wrote to memory of 3788 924 Vape Launcher.exe 103 PID 924 wrote to memory of 3788 924 Vape Launcher.exe 103 PID 3788 wrote to memory of 3228 3788 Vape Launcher.exe 107 PID 3788 wrote to memory of 3228 3788 Vape Launcher.exe 107 PID 3788 wrote to memory of 3228 3788 Vape Launcher.exe 107
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.rar"1⤵
- Modifies registry class
PID:944
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2988
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4920
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Vape Launcher\" -ad -an -ai#7zMap27633:84:7zEvent201301⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4348
-
C:\Users\Admin\Desktop\Vape Launcher\Vape Launcher.exe"C:\Users\Admin\Desktop\Vape Launcher\Vape Launcher.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Roaming\XenoManager\Vape Launcher.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Vape Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Minecraft Launcher" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0C8.tmp" /F3⤵
- Creates scheduled task(s)
PID:3228
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD5f0ff982795f69860a4e16fe0b832dd66
SHA10a2975047fb99cf62480360495c67f172f18f086
SHA256a1c2416ad9169bba2bcd7d3cb1015fdc00f3b847901e153000914221c184af8e
SHA5122cb970a34b8f2f90ea44c95699600542a0c695eebf073ee9ffe0e0f1085e2c233478b6ad549987985afc5f87447760616d08b59c1e87185bb6bba1bdc15812c3
-
Filesize
45KB
MD56eeb807c40d25bd3f8a7667377920eb6
SHA169c18c77847f20cee212286e1530256610d42da0
SHA256af403f0a35ed4789e02a55012056ad565d33f464245a2aa411cb06cd2abfd176
SHA512ed82a34890205e6fe37dacb9d647666c65dcb5c979f1a456540799eab87887aca1a62d52335480b0ef85a4dd0183ba3cf3c35863fb2c51466368adc8467ed708