Overview

overview

10

Static

static

3

AudinoBuilder.exe

windows11-21h2-x64

10

Resubmissions

11-05-2024 19:51

240511-ykvkzahc78 10

11-05-2024 19:45

240511-ygfmmsec3y 10

11-05-2024 18:50

240511-xhabksfa93 10

Analysis

  • max time kernel
    49s
  • max time network
    51s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-05-2024 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AudinoBuilder.exe

  • Size

    5.6MB

  • MD5

    c4cb065184458a9e05b7c893642f9b3c

  • SHA1

    36327e2e82c26c3d39dcc51569c08c624c90ae20

  • SHA256

    1316e22fe1e9b3d4a9c42362c21bca74598cdc11eae27282a29871fb98ab0b38

  • SHA512

    2e9809bce89db2566c7aa9143afc5c818cc2765ea6c0ab2e8d583aac7a7b1cca5d601b5ecb8cc676221118ab2b8b333eea7fad614f5150ae95c76b979388faa4

  • SSDEEP

    98304:lKAVWycWWgSj67/ngnLqAABRvCrnVAo3tH/Gfz7H7YzA4AzRP2HjdgW0NaBFV:8TylWgSj6DnDvRKrnVAoBQHHkERPPW0K

Score
10/10
xenoratzgratevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    45010

  • startup_name

    ErrorManager

Signatures

  • Detect ZGRat V1 29 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 9 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AudinoBuilder.exe
    "C:\Users\Admin\AppData\Local\Temp\AudinoBuilder.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYwBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAaAB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAbgB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAeQB0ACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:568
    • C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
      "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:820
    • C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
      "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:4688
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5812
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5256
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
            PID:5248
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:4548
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:5260
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          3⤵
          • Launches sc.exe
          PID:5992
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          3⤵
          • Launches sc.exe
          PID:4348
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          3⤵
          • Launches sc.exe
          PID:3760
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4212
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1200
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3764
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4100
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "GMDTJRUT"
          3⤵
          • Launches sc.exe
          PID:4712
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
          3⤵
          • Launches sc.exe
          PID:5464
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          3⤵
          • Launches sc.exe
          PID:5376
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "GMDTJRUT"
          3⤵
          • Launches sc.exe
          PID:5516
      • C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "ErrorManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD8AD.tmp" /F
            4⤵
            • Creates scheduled task(s)
            PID:5868
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4964
    • C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
      C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:5912
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsSubsystem.exe.log
      Filesize

      226B

      MD5

      1294de804ea5400409324a82fdc7ec59

      SHA1

      9a39506bc6cadf99c1f2129265b610c69d1518f7

      SHA256

      494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

      SHA512

      033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      09ec5ffdf7024901d00fdafcfb8fe76d

      SHA1

      cfff3027fb453f85bbb88c3cdb73dc9d22e9dff1

      SHA256

      ce5a5c79c8d3387fd1d9480d391af048807569dfb879ea6234d826ef5991d894

      SHA512

      ca888c28d9851a63ecc2e517129711b7e2f82986889a4742ddc898db261a37a6f00a0f94f6ba5f83edef3b6af0bc53ba5f80291950678d743648a9f7863338fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
      Filesize

      191KB

      MD5

      e004a568b841c74855f1a8a5d43096c7

      SHA1

      b90fd74593ae9b5a48cb165b6d7602507e1aeca4

      SHA256

      d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

      SHA512

      402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
      Filesize

      5.0MB

      MD5

      e222309197c5e633aa8e294ba4bdcd29

      SHA1

      52b3f89a3d2262bf603628093f6d1e71d9cc3820

      SHA256

      047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

      SHA512

      9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe
      Filesize

      43KB

      MD5

      6b44f7785d4ce45ede1b02681227d987

      SHA1

      444d76fb81d4fbeb9c1a2011d2de8f2b8ff0084a

      SHA256

      2c85b511ff201346d1e6c2ab300445ad263ed40192c1748ec10fa02f6aa05186

      SHA512

      83f96b49bf619aa8fd89a7fb7be282d7a06e6ae0dd8f42ef8ad9e1832a889d9dc3b8920989cea5fbecfec63dd894f49d5ad1d2d25894de7b523add0539d1de55

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_putmyzyv.zn3.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD8AD.tmp
      Filesize

      1KB

      MD5

      0cd3da1799bc79141a8e8b219f395b48

      SHA1

      53d117d84f3ba1066b59720965e25a84792439a5

      SHA256

      8bb355c414170a13cc47f16128844bac5089e9c845f7d07d4d098579b7c152d6

      SHA512

      686ef43213a06ba50e3b78c1f84782cbc2e8a87f97c297addf8bea5d78346420fd143dd7d4aa7f95a7827c2db4fd27c15cfec44fef6e700351cff887afc8e536

      Download Submit

    • memory/568-45-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/568-1678-0x00000000069B0000-0x00000000069CE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/568-1682-0x0000000007770000-0x000000000777A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/568-1684-0x0000000007900000-0x0000000007911000-memory.dmp

      Filesize

      68KB

      Download

    • memory/568-1685-0x0000000007940000-0x000000000794E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/568-1686-0x0000000007950000-0x0000000007965000-memory.dmp

      Filesize

      84KB

      Download

    • memory/568-1681-0x0000000007700000-0x000000000771A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/568-108-0x00000000055E0000-0x0000000005602000-memory.dmp

      Filesize

      136KB

      Download

    • memory/568-1680-0x0000000007D60000-0x00000000083DA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/568-47-0x0000000005870000-0x0000000005E9A000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/568-1679-0x0000000007630000-0x00000000076D4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/568-1683-0x0000000007990000-0x0000000007A26000-memory.dmp

      Filesize

      600KB

      Download

    • memory/568-1669-0x0000000074310000-0x000000007435C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/568-110-0x00000000057F0000-0x0000000005856000-memory.dmp

      Filesize

      408KB

      Download

    • memory/568-1668-0x0000000006970000-0x00000000069A4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/568-1687-0x0000000007A50000-0x0000000007A6A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/568-330-0x0000000005EA0000-0x00000000061F7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/568-1667-0x00000000063B0000-0x00000000063FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/568-1666-0x0000000006380000-0x000000000639E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/568-109-0x0000000005780000-0x00000000057E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/568-1688-0x0000000007A30000-0x0000000007A38000-memory.dmp

      Filesize

      32KB

      Download

    • memory/820-77-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-112-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-99-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-97-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-95-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-93-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-91-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-89-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-87-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-85-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-83-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-80-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-74-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-72-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-70-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-68-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-61-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-59-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-56-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-105-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-103-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-67-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-63-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-58-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-107-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-101-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-115-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-78-0x0000000004CC0000-0x0000000004D25000-memory.dmp

      Filesize

      404KB

      Download

    • memory/820-43-0x00000000002D0000-0x0000000000306000-memory.dmp

      Filesize

      216KB

      Download

    • memory/820-48-0x0000000004CC0000-0x0000000004D2C000-memory.dmp

      Filesize

      432KB

      Download

    • memory/3716-1724-0x00000291C6580000-0x00000291C659C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3716-1732-0x00000291C67B0000-0x00000291C67BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3716-1731-0x00000291C67A0000-0x00000291C67A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3716-1730-0x00000291C6770000-0x00000291C6778000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3716-1729-0x00000291C67C0000-0x00000291C67DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3716-1728-0x00000291C6760000-0x00000291C676A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3716-1727-0x00000291C6780000-0x00000291C679C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/3716-1726-0x00000291C6570000-0x00000291C657A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3716-1725-0x00000291C65A0000-0x00000291C6653000-memory.dmp

      Filesize

      716KB

      Download

    • memory/4164-44-0x0000000000C10000-0x0000000000C22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4964-9-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-1-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-0-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-12-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-11-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-10-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-8-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-7-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-6-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4964-2-0x000002A1C0ED0000-0x000002A1C0ED1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5812-1698-0x000001928F8D0000-0x000001928F8F2000-memory.dmp

      Filesize

      136KB

      Download