Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
17-04-2021 12:32
Static task
static1
Behavioral task
behavioral1
Sample
Xenos/Xenos.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Xenos/Xenos.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
Xenos/Xenos64.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
Xenos/Xenos64.exe
Resource
win10v20210410
General
-
Target
Xenos/Xenos64.exe
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Xenos64.exesvchost.exesvhost.exepid process 1424 Xenos64.exe 1744 svchost.exe 3948 svhost.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe svhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28c0300760120ee25fe352fae1eb167a.exe svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28c0300760120ee25fe352fae1eb167a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .." svhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
Processes:
svchost.exesvhost.exepid process 1744 svchost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe 3948 svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
Processes:
Xenos64.exeOpenWith.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000 Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\0\MRUListEx = ffffffff Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 4e0031000000000091529963100054656d7000003a0009000400efbe8a524038915299632e0000003f53010000000100000000000000000000000000000037b02f00540065006d007000000014000000 Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64 Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\ = "Run" Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000008a5240381100557365727300640009000400efbe724a0b5d8a5240382e000000320500000000010000000000000000003a000000000047a8360055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = 00000000ffffffff Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\1\MRUListEx = ffffffff Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000008a52513c100041646d696e003c0009000400efbe8a5240388a52513c2e000000205301000000010000000000000000000000000000002d4ad100410064006d0069006e00000014000000 Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = 0100000000000000ffffffff Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff Xenos64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64 Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe,-135" Xenos64.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 Xenos64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Xenos64.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Xenos64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --run %1" Xenos64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\Content Type = "Application/xml" Xenos64.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1248 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe 1744 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Xenos64.exeOpenWith.exepid process 1424 Xenos64.exe 1160 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
Xenos64.exesvchost.exesvhost.exedescription pid process Token: SeDebugPrivilege 1424 Xenos64.exe Token: SeLoadDriverPrivilege 1424 Xenos64.exe Token: SeDebugPrivilege 1744 svchost.exe Token: SeDebugPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe Token: 33 3948 svhost.exe Token: SeIncBasePriorityPrivilege 3948 svhost.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
svchost.exesvhost.exeXenos64.exeOpenWith.exepid process 1744 svchost.exe 3948 svhost.exe 1424 Xenos64.exe 1424 Xenos64.exe 1424 Xenos64.exe 1424 Xenos64.exe 1424 Xenos64.exe 1424 Xenos64.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe 1160 OpenWith.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Xenos64.exesvchost.exesvhost.exeOpenWith.exedescription pid process target process PID 2016 wrote to memory of 1424 2016 Xenos64.exe Xenos64.exe PID 2016 wrote to memory of 1424 2016 Xenos64.exe Xenos64.exe PID 2016 wrote to memory of 1744 2016 Xenos64.exe svchost.exe PID 2016 wrote to memory of 1744 2016 Xenos64.exe svchost.exe PID 2016 wrote to memory of 1744 2016 Xenos64.exe svchost.exe PID 1744 wrote to memory of 3948 1744 svchost.exe svhost.exe PID 1744 wrote to memory of 3948 1744 svchost.exe svhost.exe PID 1744 wrote to memory of 3948 1744 svchost.exe svhost.exe PID 3948 wrote to memory of 2136 3948 svhost.exe netsh.exe PID 3948 wrote to memory of 2136 3948 svhost.exe netsh.exe PID 3948 wrote to memory of 2136 3948 svhost.exe netsh.exe PID 1160 wrote to memory of 1248 1160 OpenWith.exe NOTEPAD.EXE PID 1160 wrote to memory of 1248 1160 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos64.exe"C:\Users\Admin\AppData\Local\Temp\Xenos\Xenos64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\Xenos64.exe"C:\Users\Admin\AppData\Local\Temp\Xenos64.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE4⤵PID:2136
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:932
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\920832307\payload.dat2⤵
- Opens file in notepad (likely ransom note)
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Xenos64.exeMD5
6f0dd4150efddfc20b70401479964211
SHA1e97c802a8013b13fb91a831b779ade7c3ca6870b
SHA2560e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9
SHA512d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb
-
C:\Users\Admin\AppData\Local\Temp\Xenos64.exeMD5
6f0dd4150efddfc20b70401479964211
SHA1e97c802a8013b13fb91a831b779ade7c3ca6870b
SHA2560e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9
SHA512d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
ed0b19f0b25d20c2ca2d7ddd9b51fafb
SHA19cc4d137b50d2653782bd6e4793452ac393e0fa3
SHA25687429a3c6557a11a1e83398d65f54e1fe12945ed3df86d67762bb0e29ad492fb
SHA512561ec87adec4833b29bb6d8061125656a9db4c0371f66f608deb75806525d01a987b1a42c1c43f3f3d1eebc88ebc684fd6189008ee5f4d1edd7cd07fe092ed0f
-
memory/1248-129-0x0000000000000000-mapping.dmp
-
memory/1424-116-0x0000000000000000-mapping.dmp
-
memory/1744-119-0x0000000000000000-mapping.dmp
-
memory/1744-123-0x0000000004101000-0x0000000004102000-memory.dmpFilesize
4KB
-
memory/2016-120-0x0000000000AF0000-0x0000000000AF2000-memory.dmpFilesize
8KB
-
memory/2016-114-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2136-128-0x0000000000000000-mapping.dmp
-
memory/3948-124-0x0000000000000000-mapping.dmp
-
memory/3948-127-0x0000000003C60000-0x0000000003C61000-memory.dmpFilesize
4KB