Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b484589e-5...1a.exe

windows7-x64

10

b484589e-5...1a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b484589e-5bc1-4822-b761-fc942575461a.exe

  • Size

    1.0MB

  • MD5

    f32465a4fd980fa363d5572fa360b899

  • SHA1

    f47515752d398ff6a0ef2defcc438fdec954bd85

  • SHA256

    3304e525a58d809bbb50534a1288d1d9f5285bd77f313725cb48368642b10583

  • SHA512

    e2969efb4e82a4c2ae9ad1064e194d57771faa66d111f6be76946c04ad01b6777813290daf8ccded11601cd407843e51d729f20ad0f396ff6f13849f424085ef

  • SSDEEP

    24576:0NA3R5drX4GcPNY9C1ml38znrSQrcXVgxWGHEbpJvxB:V5/cPu4+45ra2xWBpp

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    60000

  • install_path

    temp

  • port

    1391

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 3 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 12 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b484589e-5bc1-4822-b761-fc942575461a.exe
    "C:\Users\Admin\AppData\Local\Temp\b484589e-5bc1-4822-b761-fc942575461a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\bsfhxtr.cmd" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\zgouble.sfx.exe
        zgouble.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -padfdyehngfszalhmyjfoalepodtyuiofxvflffugyRhvqxsdfHbgnmeU
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Users\Admin\AppData\Local\Temp\zgouble.exe
          "C:\Users\Admin\AppData\Local\Temp\zgouble.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Roaming\cfgdf.bat" "
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1012
            • C:\Users\Admin\AppData\Roaming\cvghfy.sfx.exe
              cvghfy.sfx.exe -dC:\Users\Admin\AppData\Roaming -peyhrntdesczopthnymkdespbodtyuhngfszafugyRhvqxsdfHbgnmeL
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:324
              • C:\Users\Admin\AppData\Roaming\cvghfy.exe
                "C:\Users\Admin\AppData\Roaming\cvghfy.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1236
                • C:\Users\Admin\AppData\Roaming\cvghfy.exe
                  C:\Users\Admin\AppData\Roaming\cvghfy.exe
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2452
                  • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                    "C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe"
                    9⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2400
                    • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                      C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2968
                    • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                      C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1500
                • C:\Users\Admin\AppData\Roaming\cvghfy.exe
                  C:\Users\Admin\AppData\Roaming\cvghfy.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2064
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks.exe" /Create /TN "UpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F77.tmp" /F
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:2636
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Pago.pdf"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Pago.pdf
    Filesize

    30KB

    MD5

    fa0a0bc195062f035e0b7971ead10491

    SHA1

    ca2d4bd456ccba9fceb3f2b9ffefeb59615e12c9

    SHA256

    7a0e40d4c39eae8f7415cb44504e04c1baf41f57e797308f026409c7353ed03d

    SHA512

    c5a47170ad1ec061b37fd8c0726998400b144decccee65b9225184425da047e7abe007e17197c8423a5d9331c751d7f7d0512fa48de3fecbca0a5989e5c42ae4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bsfhxtr.cmd
    Filesize

    18KB

    MD5

    7d18436333f8f151e58c02a9c84648c1

    SHA1

    b254b3b902a5bed7894677d9b878c6eb589641b4

    SHA256

    078332289fe77ede5a5f3feb6c3393fb893605b3ec1545df450ab750a4059a29

    SHA512

    e7070bf486272935b22d78e8fe3f284a20351528b4919783c312fdcb5ec35c1dd90d3e0efb2cd040160cbaa471b8ab52bcc2c67ff443c611a858a9514b987bc5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp4F77.tmp
    Filesize

    1KB

    MD5

    db55770230d2076aa8daf02d54b5478a

    SHA1

    29c69e06706238feba536b01967d392c11f3a0ca

    SHA256

    74c1b2efb865d8a0e0dc43426d7e5b778d3dd5171dd4394b1e91d432fd131968

    SHA512

    72a90f3738aa957b33965dbb8380b890880dedb67cf4434df7fb900171a05698bf7a46344e7ef40473684112a6f6fc490b48627f9fce54677811faae80355680

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zgouble.sfx.exe
    Filesize

    768KB

    MD5

    edc939823a0d0ac63f84ef49acaf014b

    SHA1

    5d3603cab47e2df3d49414a58b762e50a9c948ba

    SHA256

    72722737a28ed8371130b181f99a12bd7f43b9cb9043e7a1257c08394e57e17b

    SHA512

    4bcab61622c4f08430199aafd36556416ccbb0a2693162418d929de9190bcadf8ff86c415e2c3e0b989eeb8cbb498a3c2d68296aff0ca05b8355aa464f298914

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    b1817a57eea09d88d6c5fa9087800ba8

    SHA1

    720be89763d77d3023a4baedd1fecff6faa07137

    SHA256

    3537f2d37c4ca32f7b53652b673a9ff00d9c0ec2afc2c2be3c6f7886187f6a94

    SHA512

    56b08a59525e67da58f542fdf710536a171a76e9022f51e7d2b19c0c80f8cbaab3731924fd9a3189e9ad3d14139d17bf6fe8caa58ec34fd554b3634b6a36c532

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cfgdf.bat
    Filesize

    18KB

    MD5

    67605d4576fc9218ca922faaccf44961

    SHA1

    0f4adb98ea10f90b3984a10837aa2c653700986b

    SHA256

    18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8

    SHA512

    ef570ad9ebbe64245a8b6d972c77c6dd96adf869e06e8834754a2f90b4c8171a66233db3d27938b3ec30e19ec070dfac2160d7e5b58f477c3d44a20d2be16707

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cvghfy.sfx.exe
    Filesize

    477KB

    MD5

    68b0b2d1155fbefde17060028186ef37

    SHA1

    39fcab2dbbaaf0c92a7af7179fd4932d6c8758e8

    SHA256

    29cce673a99fc812b911d71447ebc7c27240185d68471275d5878d15b5412724

    SHA512

    1d4c0eb0c668c4b4ecd3daddcd73f78ec72509f8b867ab82813aae8a4cf0ea94fc471454caf63b5b5b5da280ebcb5841b52bcc39b91ec2741d0c3d6a74bf694a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\zgouble.exe
    Filesize

    625KB

    MD5

    58133b496a35609d10cc64215b5fc990

    SHA1

    dc6bb593c22e664a8d7629e0663820f9207592d1

    SHA256

    2d08e8130fcd20c4e4332010481247cf00062af6cafbbfd4cbe096a9c62d5d7d

    SHA512

    4d2a18cd02f214740d1834930246da55757ff92edec2b1fc64191ab4fc612a3a18cbaa443f9ef5329f5be6150b1487bc0f5c7bff5c5b4469c5bdd9517a526cc8

    Download Submit

  • \Users\Admin\AppData\Roaming\cvghfy.exe
    Filesize

    246KB

    MD5

    81803959df039efd73a59e513065ea5c

    SHA1

    22328ae1cbf3c7e21b374bfcff7938d3f11f6459

    SHA256

    46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

    SHA512

    a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

    Download Submit

  • memory/1236-76-0x0000000000300000-0x0000000000306000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1236-78-0x0000000000330000-0x0000000000336000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1236-77-0x00000000004F0000-0x0000000000530000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1236-75-0x0000000000C90000-0x0000000000CD6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2400-95-0x0000000000BF0000-0x0000000000C36000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2452-79-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2452-87-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2452-81-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download