Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

zgouble.exe

windows7-x64

10

zgouble.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 08:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zgouble.exe

  • Size

    625KB

  • MD5

    58133b496a35609d10cc64215b5fc990

  • SHA1

    dc6bb593c22e664a8d7629e0663820f9207592d1

  • SHA256

    2d08e8130fcd20c4e4332010481247cf00062af6cafbbfd4cbe096a9c62d5d7d

  • SHA512

    4d2a18cd02f214740d1834930246da55757ff92edec2b1fc64191ab4fc612a3a18cbaa443f9ef5329f5be6150b1487bc0f5c7bff5c5b4469c5bdd9517a526cc8

  • SSDEEP

    12288:IcrNS33L10QdrX4tJD4nmvDLI0ZOZPu8+NYzv3epjcuXjc6l02gq4Ne2o:7NA3R5drX4j4m70Ee3eSuXjtvJ4sN

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    60000

  • install_path

    temp

  • port

    1391

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 3 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 8 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\zgouble.exe
    "C:\Users\Admin\AppData\Local\Temp\zgouble.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\cfgdf.bat" "
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Users\Admin\AppData\Roaming\cvghfy.sfx.exe
        cvghfy.sfx.exe -dC:\Users\Admin\AppData\Roaming -peyhrntdesczopthnymkdespbodtyuhngfszafugyRhvqxsdfHbgnmeL
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Users\Admin\AppData\Roaming\cvghfy.exe
          "C:\Users\Admin\AppData\Roaming\cvghfy.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Users\Admin\AppData\Roaming\cvghfy.exe
            C:\Users\Admin\AppData\Roaming\cvghfy.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:436
            • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
              "C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:1712
              • C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                C:\Users\Admin\AppData\Local\Temp\UpdateManager\cvghfy.exe
                7⤵
                • Executes dropped EXE
                PID:792
          • C:\Users\Admin\AppData\Roaming\cvghfy.exe
            C:\Users\Admin\AppData\Roaming\cvghfy.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks.exe" /Create /TN "UpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95CA.tmp" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2016

Network

    No results found
  • 87.120.116.115:1391
    cvghfy.exe
    152 B
     3
  • 87.120.116.115:1391
    cvghfy.exe
    152 B
     3
  • 87.120.116.115:1391
    cvghfy.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp95CA.tmp
    Filesize

    1KB

    MD5

    db55770230d2076aa8daf02d54b5478a

    SHA1

    29c69e06706238feba536b01967d392c11f3a0ca

    SHA256

    74c1b2efb865d8a0e0dc43426d7e5b778d3dd5171dd4394b1e91d432fd131968

    SHA512

    72a90f3738aa957b33965dbb8380b890880dedb67cf4434df7fb900171a05698bf7a46344e7ef40473684112a6f6fc490b48627f9fce54677811faae80355680

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cfgdf.bat
    Filesize

    18KB

    MD5

    67605d4576fc9218ca922faaccf44961

    SHA1

    0f4adb98ea10f90b3984a10837aa2c653700986b

    SHA256

    18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8

    SHA512

    ef570ad9ebbe64245a8b6d972c77c6dd96adf869e06e8834754a2f90b4c8171a66233db3d27938b3ec30e19ec070dfac2160d7e5b58f477c3d44a20d2be16707

    Download Submit

  • \Users\Admin\AppData\Roaming\cvghfy.exe
    Filesize

    246KB

    MD5

    81803959df039efd73a59e513065ea5c

    SHA1

    22328ae1cbf3c7e21b374bfcff7938d3f11f6459

    SHA256

    46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1

    SHA512

    a01ab581c35a38631e8074d3c6f4412397874b80684374bc5db426de908d84fac98dfd0bfba1c1db5bb8c559fc88f6fac1918ad06b79050b4b5704b973bf53b3

    Download Submit

  • \Users\Admin\AppData\Roaming\cvghfy.sfx.exe
    Filesize

    477KB

    MD5

    68b0b2d1155fbefde17060028186ef37

    SHA1

    39fcab2dbbaaf0c92a7af7179fd4932d6c8758e8

    SHA256

    29cce673a99fc812b911d71447ebc7c27240185d68471275d5878d15b5412724

    SHA512

    1d4c0eb0c668c4b4ecd3daddcd73f78ec72509f8b867ab82813aae8a4cf0ea94fc471454caf63b5b5b5da280ebcb5841b52bcc39b91ec2741d0c3d6a74bf694a

    Download Submit

  • memory/436-43-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/436-41-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1928-49-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2472-37-0x0000000001220000-0x0000000001266000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2472-38-0x0000000000730000-0x0000000000736000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2472-39-0x00000000004C0000-0x0000000000500000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2472-40-0x0000000000510000-0x0000000000516000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2480-57-0x0000000001060000-0x00000000010A6000-memory.dmp

    Filesize

    280KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.