Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-04-2021 12:32
Static task
static1
Behavioral task
behavioral1
Sample
Xenos/Xenos.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Xenos/Xenos.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Xenos/Xenos64.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Xenos/Xenos64.exe
Resource
win10v20210410
General
-
Target
Xenos/Xenos64.exe
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Xenos64.exesvchost.exesvhost.exepid process 1964 Xenos64.exe 1708 svchost.exe 552 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe svhost.exe -
Loads dropped DLL 3 IoCs
Processes:
Xenos64.exesvchost.exepid process 1992 Xenos64.exe 1196 1708 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
svchost.exesvhost.exepid process 1708 svchost.exe 1708 svchost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe 552 svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 35 IoCs
Processes:
Xenos64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64 Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\ = "Xenos 64-bit injection profile" Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\ = "Run" Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --run %1" Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\ = "XenosProfile64" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe,-135" Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64 Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\Content Type = "Application/xml" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --load %1" Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" Xenos64.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe 1708 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Xenos64.exepid process 1964 Xenos64.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
Xenos64.exesvchost.exesvhost.exedescription pid process Token: SeDebugPrivilege 1964 Xenos64.exe Token: SeLoadDriverPrivilege 1964 Xenos64.exe Token: SeDebugPrivilege 1708 svchost.exe Token: SeDebugPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe Token: 33 552 svhost.exe Token: SeIncBasePriorityPrivilege 552 svhost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
svchost.exesvhost.exeXenos64.exepid process 1708 svchost.exe 552 svhost.exe 1964 Xenos64.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Xenos64.exesvchost.exesvhost.exedescription pid process target process PID 1992 wrote to memory of 1964 1992 Xenos64.exe Xenos64.exe PID 1992 wrote to memory of 1964 1992 Xenos64.exe Xenos64.exe PID 1992 wrote to memory of 1964 1992 Xenos64.exe Xenos64.exe PID 1992 wrote to memory of 1708 1992 Xenos64.exe svchost.exe PID 1992 wrote to memory of 1708 1992 Xenos64.exe svchost.exe PID 1992 wrote to memory of 1708 1992 Xenos64.exe svchost.exe PID 1992 wrote to memory of 1708 1992 Xenos64.exe svchost.exe PID 1708 wrote to memory of 552 1708 svchost.exe svhost.exe PID 1708 wrote to memory of 552 1708 svchost.exe svhost.exe PID 1708 wrote to memory of 552 1708 svchost.exe svhost.exe PID 1708 wrote to memory of 552 1708 svchost.exe svhost.exe PID 552 wrote to memory of 1604 552 svhost.exe netsh.exe PID 552 wrote to memory of 1604 552 svhost.exe netsh.exe PID 552 wrote to memory of 1604 552 svhost.exe netsh.exe PID 552 wrote to memory of 1604 552 svhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos64.exe"C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos64.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\Xenos64.exe"C:\Users\Admin\AppData\Local\Temp\Xenos64.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE4⤵PID:1604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Xenos64.exeMD5
6f0dd4150efddfc20b70401479964211
SHA1e97c802a8013b13fb91a831b779ade7c3ca6870b
SHA2560e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9
SHA512d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
\??\c:\users\admin\appdata\local\temp\svchost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
\??\c:\users\admin\appdata\local\temp\svhost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
\Users\Admin\AppData\Local\Temp\Xenos64.exeMD5
6f0dd4150efddfc20b70401479964211
SHA1e97c802a8013b13fb91a831b779ade7c3ca6870b
SHA2560e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9
SHA512d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb
-
\Users\Admin\AppData\Local\Temp\Xenos64.exeMD5
6f0dd4150efddfc20b70401479964211
SHA1e97c802a8013b13fb91a831b779ade7c3ca6870b
SHA2560e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9
SHA512d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb
-
\Users\Admin\AppData\Local\Temp\svhost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
memory/552-77-0x0000000003070000-0x0000000003071000-memory.dmpFilesize
4KB
-
memory/552-73-0x0000000000000000-mapping.dmp
-
memory/1604-78-0x0000000000000000-mapping.dmp
-
memory/1708-68-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1708-71-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/1708-66-0x0000000000000000-mapping.dmp
-
memory/1964-64-0x000007FEFC391000-0x000007FEFC393000-memory.dmpFilesize
8KB
-
memory/1964-62-0x0000000000000000-mapping.dmp
-
memory/1964-80-0x0000000003E80000-0x0000000003E81000-memory.dmpFilesize
4KB
-
memory/1992-59-0x00000000011C0000-0x00000000011C1000-memory.dmpFilesize
4KB
-
memory/1992-65-0x000000001B200000-0x000000001B202000-memory.dmpFilesize
8KB