njrat | 6ae78f6d033a71828e1c27fbc946eb2e54bbb1bbaf54f541bcb89b4923d4baf8

General

Target

Xenos/Xenos64.exe

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Xenos64.exesvchost.exesvhost.exe

pid process

1424 Xenos64.exe
1744 svchost.exe
3948 svhost.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1424	Xenos64.exe
1744	svchost.exe
3948	svhost.exe

Drops startup file 2 IoCs

Processes:

svhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe	svhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

svchost.exesvhost.exe

pid	process
1744	svchost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe
3948	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

Xenos64.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\MRUListEx = ffffffff	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 4e0031000000000091529963100054656d7000003a0009000400efbe8a524038915299632e0000003f53010000000100000000000000000000000000000037b02f00540065006d007000000014000000	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\ = "Run"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000008a5240381100557365727300640009000400efbe724a0b5d8a5240382e000000320500000000010000000000000000003a000000000047a8360055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\1\MRUListEx = ffffffff	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000008a52513c100041646d696e003c0009000400efbe8a5240388a52513c2e000000205301000000010000000000000000000000000000002d4ad100410064006d0069006e00000014000000	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = 0100000000000000ffffffff	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe,-135"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --run %1"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\Content Type = "Application/xml"	Xenos64.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1248 NOTEPAD.EXE

pid	process
1248	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe
1744	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Xenos64.exeOpenWith.exe

pid process

1424 Xenos64.exe
1160 OpenWith.exe

pid	process
1424	Xenos64.exe
1160	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Xenos64.exesvchost.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	1424	Xenos64.exe
Token: SeLoadDriverPrivilege	1424	Xenos64.exe
Token: SeDebugPrivilege	1744	svchost.exe
Token: SeDebugPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe
Token: 33	3948	svhost.exe
Token: SeIncBasePriorityPrivilege	3948	svhost.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

svchost.exesvhost.exeXenos64.exeOpenWith.exe

pid	process
1744	svchost.exe
3948	svhost.exe
1424	Xenos64.exe
1424	Xenos64.exe
1424	Xenos64.exe
1424	Xenos64.exe
1424	Xenos64.exe
1424	Xenos64.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe
1160	OpenWith.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Xenos64.exesvchost.exesvhost.exeOpenWith.exe

description	pid	process	target process
PID 2016 wrote to memory of 1424	2016	Xenos64.exe	Xenos64.exe
PID 2016 wrote to memory of 1424	2016	Xenos64.exe	Xenos64.exe
PID 2016 wrote to memory of 1744	2016	Xenos64.exe	svchost.exe
PID 2016 wrote to memory of 1744	2016	Xenos64.exe	svchost.exe
PID 2016 wrote to memory of 1744	2016	Xenos64.exe	svchost.exe
PID 1744 wrote to memory of 3948	1744	svchost.exe	svhost.exe
PID 1744 wrote to memory of 3948	1744	svchost.exe	svhost.exe
PID 1744 wrote to memory of 3948	1744	svchost.exe	svhost.exe
PID 3948 wrote to memory of 2136	3948	svhost.exe	netsh.exe
PID 3948 wrote to memory of 2136	3948	svhost.exe	netsh.exe
PID 3948 wrote to memory of 2136	3948	svhost.exe	netsh.exe
PID 1160 wrote to memory of 1248	1160	OpenWith.exe	NOTEPAD.EXE
PID 1160 wrote to memory of 1248	1160	OpenWith.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos64.exe
"C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\Xenos64.exe
"C:\Users\Admin\AppData\Local\Temp\Xenos64.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE
4⤵
PID:2136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:932

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\920832307\payload.dat
2⤵
- Opens file in notepad (likely ransom note)
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Xenos64.exe
MD5
6f0dd4150efddfc20b70401479964211

SHA1
e97c802a8013b13fb91a831b779ade7c3ca6870b

SHA256
0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9

SHA512
d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xenos64.exe
MD5
6f0dd4150efddfc20b70401479964211

SHA1
e97c802a8013b13fb91a831b779ade7c3ca6870b

SHA256
0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9

SHA512
d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe
MD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb

SHA1
9cc4d137b50d2653782bd6e4793452ac393e0fa3

SHA256
87429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb

SHA512
561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f

Download Submit
memory/1248-129-0x0000000000000000-mapping.dmp

Download
memory/1424-116-0x0000000000000000-mapping.dmp

Download
memory/1744-119-0x0000000000000000-mapping.dmp

Download
memory/1744-123-0x0000000004101000-0x0000000004102000-memory.dmp

Filesize
4KB

Download
memory/2016-120-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/2016-114-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2136-128-0x0000000000000000-mapping.dmp

Download
memory/3948-124-0x0000000000000000-mapping.dmp

Download
memory/3948-127-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads