Analysis Overview
SHA256
009c7b94b0d9541477c43105707754fa3ad4962dc561533a4a0b86689f2518db
Threat Level: Known bad
The file gdfgdfgfdg.exe was found to be: Known bad.
Malicious Activity Summary
Xenorat family
XenorRat
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-13 23:05
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 23:05
Reported
2024-08-13 23:08
Platform
win10-20240611-en
Max time kernel
129s
Max time network
135s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2840 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe | C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe |
| PID 2840 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe | C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe |
| PID 2840 wrote to memory of 1228 | N/A | C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe | C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe
"C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe
"C:\Users\Admin\AppData\Local\Temp\gdfgdfgfdg.exe"
Network
| Country | Destination | Domain | Proto |
| SE | 2.21.189.164:80 | tcp | |
| BE | 2.17.107.203:80 | tcp | |
| US | 8.8.8.8:53 | related-directed.gl.at.ply.gg | udp |
| US | 147.185.221.20:3403 | related-directed.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/2840-0-0x00007FFF328A0000-0x00007FFF32A7B000-memory.dmp
memory/2840-1-0x0000000000550000-0x0000000000562000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\gdfgdfgfdg.exe
| MD5 | b1ff6fc37c6f30705b60421bad837ba1 |
| SHA1 | 86c14aa784f97ac9018bd33d2b2cda2606dc0679 |
| SHA256 | 009c7b94b0d9541477c43105707754fa3ad4962dc561533a4a0b86689f2518db |
| SHA512 | 5bb2f33b6d7663a88290e0bffc81470614455da4ebf5ea8aae4e8b38b41d702dce1ca47616808f2cfd48c6061b935ec1379281bb43e56f4e1c153e1abb67ba09 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gdfgdfgfdg.exe.log
| MD5 | 957779c42144282d8cd83192b8fbc7cf |
| SHA1 | de83d08d2cca06b9ff3d1ef239d6b60b705d25fe |
| SHA256 | 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51 |
| SHA512 | f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd |
memory/1228-9-0x00007FFF328A0000-0x00007FFF32A7B000-memory.dmp