Analysis
-
max time kernel
29s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-08-2024 06:02
Static task
static1
Behavioral task
behavioral1
Sample
Vape.Ghost.Client.exe
Resource
win11-20240802-en
General
-
Target
Vape.Ghost.Client.exe
-
Size
5.2MB
-
MD5
35df05b7c1961a0f69bd99ea78732656
-
SHA1
0b6c342574f28ff311232549db6c4f147db779dc
-
SHA256
1da503b09db301240e0e884cb784c00ac36bed73ff1589706db852fd21dc1b90
-
SHA512
a19686a1d3b4366091a931d2270c8c263c504106abb9b302de6c51df271cabd6523b699c37c4333135f61699d037d640f07a15e791c220ac1dd5a190eef5eb1c
-
SSDEEP
98304:mR0PSTKTvyaW4YWXkOeLJGAD9hPa7TE8KTh0QcIzypHchp5leZzgD:yYwKTvBYyBqA8hPa7TEP9ZcIzyahpPKw
Malware Config
Extracted
xenorat
127.0.0.1
Xeno_rat_nd8912d
-
delay
5000
-
install_path
nothingset
-
port
4444
-
startup_name
nothingset
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AUTOCL~1.EXEpid process 2580 AUTOCL~1.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Vape.Ghost.Client.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Vape.Ghost.Client.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AUTOCL~1.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AUTOCL~1.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Vape.Ghost.Client.exedescription pid process target process PID 2496 wrote to memory of 2580 2496 Vape.Ghost.Client.exe AUTOCL~1.EXE PID 2496 wrote to memory of 2580 2496 Vape.Ghost.Client.exe AUTOCL~1.EXE PID 2496 wrote to memory of 2580 2496 Vape.Ghost.Client.exe AUTOCL~1.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe"C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5244c234696a4a686ba7b6e4652d6200e
SHA109806d289fb39ed2997eadceb901ba8e2e5616e5
SHA2562930b9f36c5719b27475da8bec4990528fc2aa55d768007b06b7d4c1cdad2654
SHA512c40b6c8e1ec76e0018c0a15d0192e2371445a8250d42de78ccbfb3b3a100f9c21261ad7bad20ec92dada4d67ca05ae6474a9555a414167c96a1e479d93ac07f9