xenorat | 2d08e8130fcd20c4e4332010481247cf00062af6cafbbfd4cbe096a9c62d5d7d

Analysis

max time kernel
129s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zgouble.exe
Size

625KB
MD5

58133b496a35609d10cc64215b5fc990
SHA1

dc6bb593c22e664a8d7629e0663820f9207592d1
SHA256

2d08e8130fcd20c4e4332010481247cf00062af6cafbbfd4cbe096a9c62d5d7d
SHA512

4d2a18cd02f214740d1834930246da55757ff92edec2b1fc64191ab4fc612a3a18cbaa443f9ef5329f5be6150b1487bc0f5c7bff5c5b4469c5bdd9517a526cc8
SSDEEP

12288:IcrNS33L10QdrX4tJD4nmvDLI0ZOZPu8+NYzv3epjcuXjc6l02gq4Ne2o:7NA3R5drX4j4m70Ee3eSuXjtvJ4sN

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes

delay
60000
install_path
temp
port
1391
startup_name
nothingset

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/436-43-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat
behavioral1/memory/436-41-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat
behavioral1/memory/1928-49-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 7 IoCs

pid	Process
2992	cvghfy.sfx.exe
2472	cvghfy.exe
436	cvghfy.exe
1928	cvghfy.exe
2480	cvghfy.exe
1712	cvghfy.exe
792	cvghfy.exe

Loads dropped DLL 8 IoCs

pid	Process
2964	cmd.exe
2992	cvghfy.sfx.exe
2992	cvghfy.sfx.exe
2992	cvghfy.sfx.exe
2992	cvghfy.sfx.exe
436	cvghfy.exe
2480	cvghfy.exe
2480	cvghfy.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 436	2472	cvghfy.exe	34
PID 2472 set thread context of 1928	2472	cvghfy.exe	35
PID 2480 set thread context of 1712	2480	cvghfy.exe	37
PID 2480 set thread context of 792	2480	cvghfy.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvghfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvghfy.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvghfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvghfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvghfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zgouble.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvghfy.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	cvghfy.exe
Token: SeDebugPrivilege	2480	cvghfy.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2964	2528	zgouble.exe	30
PID 2528 wrote to memory of 2964	2528	zgouble.exe	30
PID 2528 wrote to memory of 2964	2528	zgouble.exe	30
PID 2528 wrote to memory of 2964	2528	zgouble.exe	30
PID 2964 wrote to memory of 2992	2964	cmd.exe	32
PID 2964 wrote to memory of 2992	2964	cmd.exe	32
PID 2964 wrote to memory of 2992	2964	cmd.exe	32
PID 2964 wrote to memory of 2992	2964	cmd.exe	32
PID 2992 wrote to memory of 2472	2992	cvghfy.sfx.exe	33
PID 2992 wrote to memory of 2472	2992	cvghfy.sfx.exe	33
PID 2992 wrote to memory of 2472	2992	cvghfy.sfx.exe	33
PID 2992 wrote to memory of 2472	2992	cvghfy.sfx.exe	33
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 436	2472	cvghfy.exe	34
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 2472 wrote to memory of 1928	2472	cvghfy.exe	35
PID 436 wrote to memory of 2480	436	cvghfy.exe	36
PID 436 wrote to memory of 2480	436	cvghfy.exe	36
PID 436 wrote to memory of 2480	436	cvghfy.exe	36
PID 436 wrote to memory of 2480	436	cvghfy.exe	36
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 1712	2480	cvghfy.exe	37
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 2480 wrote to memory of 792	2480	cvghfy.exe	38
PID 1928 wrote to memory of 2016	1928	cvghfy.exe	39
PID 1928 wrote to memory of 2016	1928	cvghfy.exe	39
PID 1928 wrote to memory of 2016	1928	cvghfy.exe	39
PID 1928 wrote to memory of 2016	1928	cvghfy.exe	39

C:\Users\Admin\AppData\Local\Temp\zgouble.exe
"C:\Users\Admin\AppData\Local\Temp\zgouble.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\cfgdf.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\cvghfy.sfx.exe
    cvghfy.sfx.exe -dC:\Users\Admin\AppData\Roaming -peyhrntdesczopthnymkdespbodtyuhngfszafugyRhvqxsdfHbgnmeL
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Roaming\cvghfy.exe
      "C:\Users\Admin\AppData\Roaming\cvghfy.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Roaming\cvghfy.exe
        
        C:\Users\Admin\AppData\Roaming\cvghfy.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
        
        C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
        
        C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
        7⤵
        Executes dropped EXE
        
        PID:792
    - - C:\Users\Admin\AppData\Roaming\cvghfy.exe
        
        C:\Users\Admin\AppData\Roaming\cvghfy.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "UpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95CA.tmp" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp95CA.tmp

Filesize
1KB

MD5
db55770230d2076aa8daf02d54b5478a

SHA1
29c69e06706238feba536b01967d392c11f3a0ca

SHA256
74c1b2efb865d8a0e0dc43426d7e5b778d3dd5171dd4394b1e91d432fd131968

SHA512
72a90f3738aa957b33965dbb8380b890880dedb67cf4434df7fb900171a05698bf7a46344e7ef40473684112a6f6fc490b48627f9fce54677811faae80355680

Download Submit
C:\Users\Admin\AppData\Roaming\cfgdf.bat

Filesize
18KB

MD5
67605d4576fc9218ca922faaccf44961

SHA1
0f4adb98ea10f90b3984a10837aa2c653700986b

SHA256
18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8

SHA512
ef570ad9ebbe64245a8b6d972c77c6dd96adf869e06e8834754a2f90b4c8171a66233db3d27938b3ec30e19ec070dfac2160d7e5b58f477c3d44a20d2be16707

Download Submit
\Users\Admin\AppData\Roaming\cvghfy.exe

Filesize
246KB

MD5
81803959df039efd73a59e513065ea5c

SHA1
22328ae1cbf3c7e21b374bfcff7938d3f11f6459

SHA256
46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

SHA512
a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

Download Submit
\Users\Admin\AppData\Roaming\cvghfy.sfx.exe

Filesize
477KB

MD5
68b0b2d1155fbefde17060028186ef37

SHA1
39fcab2dbbaaf0c92a7af7179fd4932d6c8758e8

SHA256
29cce673a99fc812b911d71447ebc7c27240185d68471275d5878d15b5412724

SHA512
1d4c0eb0c668c4b4ecd3daddcd73f78ec72509f8b867ab82813aae8a4cf0ea94fc471454caf63b5b5b5da280ebcb5841b52bcc39b91ec2741d0c3d6a74bf694a

Download Submit
memory/436-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/436-41-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1928-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2472-37-0x0000000001220000-0x0000000001266000-memory.dmp

Filesize
280KB

Download
memory/2472-38-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download
memory/2472-39-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2472-40-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/2480-57-0x0000000001060000-0x00000000010A6000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads