Overview

overview

10

Static

static

3

EchoLogger.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    44s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    11-05-2024 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EchoLogger.exe

  • Size

    5.6MB

  • MD5

    0b1f4455971b59cd0943b78ac80d1f95

  • SHA1

    54da81385d5d67bfb925ddd7b5dbf2bae923cce5

  • SHA256

    80b98aa859cff943bece9831f7de94656292ff5147db30a9e315ee30553425c2

  • SHA512

    5805d67ab91d32d203433a299943bfde35a65945ebb7861b770c4a00a9adfd3938c6c347e7a1eb120de9240edd2452a0b8d1af9664ff0d6f50cbb4e5ed042c5f

  • SSDEEP

    98304:Y9r1U+si7I0QgV8uPYo/FrjoYPLCr2P5+yvNAyAkkYgGquVIia2kJb8WG9sE68gB:aSUIsV8uASFrjjW0+aAukqZ24zgRm2u2

Score
10/10
xenoratzgratexecutionrattrojan

Malware Config

Extracted

Family

xenorat

C2

jctestwindows.airdns.org

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    45010

  • startup_name

    ErrorManager

Signatures

  • Detect ZGRat V1 29 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EchoLogger.exe
    "C:\Users\Admin\AppData\Local\Temp\EchoLogger.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAcwBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAawB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcgB5ACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3848
    • C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
      "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
      "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
      2⤵
      • Executes dropped EXE
      PID:4172
    • C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\WindowsSubsystem.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "ErrorManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFAAC.tmp" /F
          4⤵
          • Creates scheduled task(s)
          PID:2860
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /0
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsSubsystem.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
    Filesize

    191KB

    MD5

    e004a568b841c74855f1a8a5d43096c7

    SHA1

    b90fd74593ae9b5a48cb165b6d7602507e1aeca4

    SHA256

    d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

    SHA512

    402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
    Filesize

    5.0MB

    MD5

    e222309197c5e633aa8e294ba4bdcd29

    SHA1

    52b3f89a3d2262bf603628093f6d1e71d9cc3820

    SHA256

    047a7ca1b8848c1c0e3c0fcc6ece056390760b24580f27f6966b86b0c2a1042b

    SHA512

    9eb37686e0cee9ec18d12a4edd37c8334d26650c74eae5b30231c2b0db1628d52848123c9348c3da306ec950b827ec0a56cdf43ee325a9e280022c68193d8503

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsSubsystem.exe
    Filesize

    43KB

    MD5

    6b44f7785d4ce45ede1b02681227d987

    SHA1

    444d76fb81d4fbeb9c1a2011d2de8f2b8ff0084a

    SHA256

    2c85b511ff201346d1e6c2ab300445ad263ed40192c1748ec10fa02f6aa05186

    SHA512

    83f96b49bf619aa8fd89a7fb7be282d7a06e6ae0dd8f42ef8ad9e1832a889d9dc3b8920989cea5fbecfec63dd894f49d5ad1d2d25894de7b523add0539d1de55

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lg5k5nw3.okf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFAAC.tmp
    Filesize

    1KB

    MD5

    0cd3da1799bc79141a8e8b219f395b48

    SHA1

    53d117d84f3ba1066b59720965e25a84792439a5

    SHA256

    8bb355c414170a13cc47f16128844bac5089e9c845f7d07d4d098579b7c152d6

    SHA512

    686ef43213a06ba50e3b78c1f84782cbc2e8a87f97c297addf8bea5d78346420fd143dd7d4aa7f95a7827c2db4fd27c15cfec44fef6e700351cff887afc8e536

    Download Submit

  • memory/2408-44-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2460-12-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-8-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-7-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-9-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-10-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-11-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-6-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-1-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-2-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-0-0x000001F6E4D60000-0x000001F6E4D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2720-113-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-97-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-89-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-87-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-86-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-83-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-81-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-79-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-77-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-75-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-73-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-71-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-65-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-63-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-69-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-67-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-61-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-47-0x0000000005360000-0x00000000053CC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2720-111-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-109-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-107-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-105-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-103-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-101-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-99-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-43-0x0000000000A30000-0x0000000000A66000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2720-95-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-93-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-91-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/2720-60-0x0000000005360000-0x00000000053C5000-memory.dmp

    Filesize

    404KB

    Download

  • memory/3848-1679-0x00000000077F0000-0x0000000007894000-memory.dmp

    Filesize

    656KB

    Download

  • memory/3848-474-0x00000000060D0000-0x0000000006427000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3848-321-0x0000000006060000-0x00000000060C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3848-1681-0x0000000007930000-0x000000000794A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3848-1680-0x0000000007F70000-0x00000000085EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3848-1665-0x00000000065B0000-0x00000000065CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3848-1666-0x00000000065F0000-0x000000000663C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3848-1668-0x0000000007560000-0x0000000007594000-memory.dmp

    Filesize

    208KB

    Download

  • memory/3848-1669-0x0000000074EC0000-0x0000000074F0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3848-1678-0x00000000075C0000-0x00000000075DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3848-320-0x0000000005FF0000-0x0000000006056000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3848-45-0x0000000005120000-0x0000000005156000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3848-319-0x0000000005710000-0x0000000005732000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3848-1682-0x00000000079C0000-0x00000000079CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3848-1683-0x0000000007BC0000-0x0000000007C56000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3848-1684-0x0000000007B40000-0x0000000007B51000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3848-1685-0x0000000007B80000-0x0000000007B8E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3848-1686-0x0000000007B90000-0x0000000007BA5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3848-1688-0x0000000007C80000-0x0000000007C9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3848-55-0x0000000005790000-0x0000000005DBA000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3848-1690-0x0000000007C70000-0x0000000007C78000-memory.dmp

    Filesize

    32KB

    Download