Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-04-2021 12:32
Static task
static1
Behavioral task
behavioral1
Sample
Xenos/Xenos.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Xenos/Xenos.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Xenos/Xenos64.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Xenos/Xenos64.exe
Resource
win10v20210410
General
-
Target
Xenos/Xenos.exe
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Xenos.exesvchost.exesvhost.exepid process 1408 Xenos.exe 1668 svchost.exe 672 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Xenos.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Xenos.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
svchost.exesvhost.exepid process 1668 svchost.exe 1668 svchost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe 672 svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
Xenos.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Xenos.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Xenos.exeXenos.exesvchost.exepid process 3692 Xenos.exe 3692 Xenos.exe 3692 Xenos.exe 1408 Xenos.exe 1408 Xenos.exe 1408 Xenos.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe 1668 svchost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
Xenos.exeXenos.exesvchost.exesvhost.exedescription pid process Token: SeDebugPrivilege 3692 Xenos.exe Token: SeDebugPrivilege 1408 Xenos.exe Token: SeDebugPrivilege 1668 svchost.exe Token: SeDebugPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe Token: 33 672 svhost.exe Token: SeIncBasePriorityPrivilege 672 svhost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
svchost.exesvhost.exepid process 1668 svchost.exe 672 svhost.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Xenos.exesvchost.exesvhost.exedescription pid process target process PID 3692 wrote to memory of 1408 3692 Xenos.exe Xenos.exe PID 3692 wrote to memory of 1408 3692 Xenos.exe Xenos.exe PID 3692 wrote to memory of 1668 3692 Xenos.exe svchost.exe PID 3692 wrote to memory of 1668 3692 Xenos.exe svchost.exe PID 3692 wrote to memory of 1668 3692 Xenos.exe svchost.exe PID 1668 wrote to memory of 672 1668 svchost.exe svhost.exe PID 1668 wrote to memory of 672 1668 svchost.exe svhost.exe PID 1668 wrote to memory of 672 1668 svchost.exe svhost.exe PID 672 wrote to memory of 3180 672 svhost.exe netsh.exe PID 672 wrote to memory of 3180 672 svhost.exe netsh.exe PID 672 wrote to memory of 3180 672 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos.exe"C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\Xenos.exe"C:\Users\Admin\AppData\Local\Temp\Xenos.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE4⤵PID:3180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xenos.exe.logMD5
7ff3b62c81e5e159eab190ddfdc19db8
SHA19097c5a644a987927dc04a0cb6a2acbc6713c8af
SHA2569309eb301bcf03d8e91c39cbf50cd4ca06b609e6d1e97fd319f73a05ba64b084
SHA5120e70e37ba50f30298f09ae300d607d7803c720acbac390b8aeba3a3bd5c69078f738076208feab530458f982912fe9974e9b0938da03afb14c7b16a252f9dd58
-
C:\Users\Admin\AppData\Local\Temp\Xenos.exeMD5
9770eeb89c8b147f388d92bc00a395e2
SHA1b5a2b3d477198af7ae67723be36084985ff22b8e
SHA25634a098fd2d55e4c58923eecf1e1054158ceacc3ab818d07745d6275404b8ef9a
SHA512f214850304362816cc9a475cbc5b44f39d072a8299798e7015b44e57f84fb7f28d98f44e7a1cd9140f833179ce4ea6d903332c70401a4653f95d8767636e50a7
-
C:\Users\Admin\AppData\Local\Temp\Xenos.exeMD5
9770eeb89c8b147f388d92bc00a395e2
SHA1b5a2b3d477198af7ae67723be36084985ff22b8e
SHA25634a098fd2d55e4c58923eecf1e1054158ceacc3ab818d07745d6275404b8ef9a
SHA512f214850304362816cc9a475cbc5b44f39d072a8299798e7015b44e57f84fb7f28d98f44e7a1cd9140f833179ce4ea6d903332c70401a4653f95d8767636e50a7
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
memory/672-137-0x0000000001050000-0x0000000001051000-memory.dmpFilesize
4KB
-
memory/672-134-0x0000000000000000-mapping.dmp
-
memory/1408-120-0x0000000000000000-mapping.dmp
-
memory/1408-132-0x00000000030A4000-0x00000000030A6000-memory.dmpFilesize
8KB
-
memory/1408-123-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/1408-128-0x00000000030A0000-0x00000000030A2000-memory.dmpFilesize
8KB
-
memory/1408-129-0x00000000030A2000-0x00000000030A4000-memory.dmpFilesize
8KB
-
memory/1408-133-0x00000000030A6000-0x00000000030A8000-memory.dmpFilesize
8KB
-
memory/1668-131-0x0000000004201000-0x0000000004202000-memory.dmpFilesize
4KB
-
memory/1668-125-0x0000000000000000-mapping.dmp
-
memory/3180-138-0x0000000000000000-mapping.dmp
-
memory/3692-114-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/3692-119-0x00000000024F6000-0x00000000024F8000-memory.dmpFilesize
8KB
-
memory/3692-118-0x00000000024F4000-0x00000000024F6000-memory.dmpFilesize
8KB
-
memory/3692-117-0x00000000024F2000-0x00000000024F4000-memory.dmpFilesize
8KB
-
memory/3692-116-0x00000000024F0000-0x00000000024F2000-memory.dmpFilesize
8KB