Analysis Overview
SHA256
1da503b09db301240e0e884cb784c00ac36bed73ff1589706db852fd21dc1b90
Threat Level: Known bad
The file Vape.Ghost.Client.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 06:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 06:02
Reported
2024-08-12 06:03
Platform
win11-20240802-en
Max time kernel
29s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2496 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE |
| PID 2496 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE |
| PID 2496 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe
"C:\Users\Admin\AppData\Local\Temp\Vape.Ghost.Client.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:4444 | tcp | |
| N/A | 127.0.0.1:4444 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AUTOCL~1.EXE
| MD5 | 244c234696a4a686ba7b6e4652d6200e |
| SHA1 | 09806d289fb39ed2997eadceb901ba8e2e5616e5 |
| SHA256 | 2930b9f36c5719b27475da8bec4990528fc2aa55d768007b06b7d4c1cdad2654 |
| SHA512 | c40b6c8e1ec76e0018c0a15d0192e2371445a8250d42de78ccbfb3b3a100f9c21261ad7bad20ec92dada4d67ca05ae6474a9555a414167c96a1e479d93ac07f9 |
memory/2580-7-0x000000007521E000-0x000000007521F000-memory.dmp
memory/2580-8-0x0000000000960000-0x0000000000976000-memory.dmp
memory/2580-9-0x0000000075210000-0x00000000759C1000-memory.dmp
memory/2580-10-0x000000007521E000-0x000000007521F000-memory.dmp