Overview

overview

10

Static

static

3

zgouble.exe

windows7-x64

10

zgouble.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    284s
  • max time network
    301s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/11/2024, 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zgouble.exe

  • Size

    625KB

  • MD5

    58133b496a35609d10cc64215b5fc990

  • SHA1

    dc6bb593c22e664a8d7629e0663820f9207592d1

  • SHA256

    2d08e8130fcd20c4e4332010481247cf00062af6cafbbfd4cbe096a9c62d5d7d

  • SHA512

    4d2a18cd02f214740d1834930246da55757ff92edec2b1fc64191ab4fc612a3a18cbaa443f9ef5329f5be6150b1487bc0f5c7bff5c5b4469c5bdd9517a526cc8

  • SSDEEP

    12288:IcrNS33L10QdrX4tJD4nmvDLI0ZOZPu8+NYzv3epjcuXjc6l02gq4Ne2o:7NA3R5drX4j4m70Ee3eSuXjtvJ4sN

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    60000

  • install_path

    temp

  • port

    1391

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\zgouble.exe
    "C:\Users\Admin\AppData\Local\Temp\zgouble.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\cfgdf.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Users\Admin\AppData\Roaming\cvghfy.sfx.exe
        cvghfy.sfx.exe -dC:\Users\Admin\AppData\Roaming -peyhrntdesczopthnymkdespbodtyuhngfszafugyRhvqxsdfHbgnmeL
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Users\Admin\AppData\Roaming\cvghfy.exe
          "C:\Users\Admin\AppData\Roaming\cvghfy.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1256
          • C:\Users\Admin\AppData\Roaming\cvghfy.exe
            C:\Users\Admin\AppData\Roaming\cvghfy.exe
            5⤵
            • Executes dropped EXE
            PID:2124
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 80
              6⤵
              • Program crash
              PID:2504
          • C:\Users\Admin\AppData\Roaming\cvghfy.exe
            C:\Users\Admin\AppData\Roaming\cvghfy.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3828
            • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
              "C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4900
              • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4860
                • C:\Windows\SysWOW64\schtasks.exe
                  "schtasks.exe" /Create /TN "UpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC704.tmp" /F
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2468
              • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:3012
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2124 -ip 2124
    1⤵
      PID:216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cvghfy.exe.log
      Filesize

      706B

      MD5

      d95c58e609838928f0f49837cab7dfd2

      SHA1

      55e7139a1e3899195b92ed8771d1ca2c7d53c916

      SHA256

      0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

      SHA512

      405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC704.tmp
      Filesize

      1KB

      MD5

      ab249650b85443ac128c24bb9feed685

      SHA1

      fad1eccebd31e34a6849d53e748397732b1b58bd

      SHA256

      3397551e013d6e71e90ff8e849475d966ad00abed7dc4462ab620e1f00c5a19f

      SHA512

      a02c890e9733b6c210b64df1e2addee8ae256096e92c3380d8b0a912fa2804d796046d15e7855fee9c8548de45977a71fdcc517c25721eb8501704e2d7ac8132

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cfgdf.bat
      Filesize

      18KB

      MD5

      67605d4576fc9218ca922faaccf44961

      SHA1

      0f4adb98ea10f90b3984a10837aa2c653700986b

      SHA256

      18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8

      SHA512

      ef570ad9ebbe64245a8b6d972c77c6dd96adf869e06e8834754a2f90b4c8171a66233db3d27938b3ec30e19ec070dfac2160d7e5b58f477c3d44a20d2be16707

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cvghfy.exe
      Filesize

      246KB

      MD5

      81803959df039efd73a59e513065ea5c

      SHA1

      22328ae1cbf3c7e21b374bfcff7938d3f11f6459

      SHA256

      46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

      SHA512

      a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cvghfy.sfx.exe
      Filesize

      477KB

      MD5

      68b0b2d1155fbefde17060028186ef37

      SHA1

      39fcab2dbbaaf0c92a7af7179fd4932d6c8758e8

      SHA256

      29cce673a99fc812b911d71447ebc7c27240185d68471275d5878d15b5412724

      SHA512

      1d4c0eb0c668c4b4ecd3daddcd73f78ec72509f8b867ab82813aae8a4cf0ea94fc471454caf63b5b5b5da280ebcb5841b52bcc39b91ec2741d0c3d6a74bf694a

      Download Submit

    • memory/1256-25-0x000000000DE90000-0x000000000DF2C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1256-24-0x000000000DDB0000-0x000000000DDF0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1256-26-0x000000000E4E0000-0x000000000EA84000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1256-27-0x000000000DFD0000-0x000000000E062000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1256-28-0x0000000002BB0000-0x0000000002BB6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1256-23-0x0000000005190000-0x0000000005196000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1256-22-0x0000000000860000-0x00000000008A6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3828-31-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download