e43f4232dc9fe94ebf0a6832deaeaaaa1ce57275505ac927f0987e5fbf5b9d3e

General

Target

fac2b832bf5760029b85f50ce606ec0f.exe
Size

1.9MB
MD5

fac2b832bf5760029b85f50ce606ec0f
SHA1

6b6dc9e35c8ea4062c6938bce9822be61ccd453f
SHA256

e43f4232dc9fe94ebf0a6832deaeaaaa1ce57275505ac927f0987e5fbf5b9d3e
SHA512

66f86f5a4e980d4fb22bc4dbc820a6393892ecb703d79e8b4ec875df89f2a278c45bf3b992f0703b617aedba9ca011258496d41946822cb6f3de3b2c29169c40
SSDEEP

49152:A60RDKhYJi03xASIT1c2JahWwcAsyRTHOR8hDWBABn0L5:A9RDfJLhASITi2IDsyM+hYG09

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2064	XenonPortable_1.5.0.1.paf.exe

Loads dropped DLL 6 IoCs

pid	Process
1852	fac2b832bf5760029b85f50ce606ec0f.exe
2064	XenonPortable_1.5.0.1.paf.exe
2064	XenonPortable_1.5.0.1.paf.exe
2064	XenonPortable_1.5.0.1.paf.exe
2064	XenonPortable_1.5.0.1.paf.exe
2064	XenonPortable_1.5.0.1.paf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fac2b832bf5760029b85f50ce606ec0f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c00000001225b-4.dat	nsis_installer_1
behavioral1/files/0x000c00000001225b-4.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2064	XenonPortable_1.5.0.1.paf.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2064	1852	fac2b832bf5760029b85f50ce606ec0f.exe	28
PID 1852 wrote to memory of 2064	1852	fac2b832bf5760029b85f50ce606ec0f.exe	28
PID 1852 wrote to memory of 2064	1852	fac2b832bf5760029b85f50ce606ec0f.exe	28
PID 1852 wrote to memory of 2064	1852	fac2b832bf5760029b85f50ce606ec0f.exe	28
PID 1852 wrote to memory of 2064	1852	fac2b832bf5760029b85f50ce606ec0f.exe	28
PID 1852 wrote to memory of 2064	1852	fac2b832bf5760029b85f50ce606ec0f.exe	28
PID 1852 wrote to memory of 2064	1852	fac2b832bf5760029b85f50ce606ec0f.exe	28

C:\Users\Admin\AppData\Local\Temp\fac2b832bf5760029b85f50ce606ec0f.exe
"C:\Users\Admin\AppData\Local\Temp\fac2b832bf5760029b85f50ce606ec0f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XenonPortable_1.5.0.1.paf.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XenonPortable_1.5.0.1.paf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst48D5.tmp\ioSpecial.ini

Filesize
629B

MD5
7218532107f49f6f9c6001b09fc93231

SHA1
d6e1c9ee7c5dacac795fd0a7f481d5483f2d7b30

SHA256
25e251a94e2843532c03b2afd2b6a524ddcf72a5977f05b22847851e5431093a

SHA512
d78876c7a94ce3937a078521285ab84475f1fb1c2d868cbe1599b3aade74fd61475803250a57c0f844a754ad36a3dedf036a1774b94025b99682dee661f356f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst48D5.tmp\ioSpecial.ini

Filesize
668B

MD5
e2ae5a4ca1e876fd469c1698f0047636

SHA1
212dc80890e894661af7ec32c984161359bf4fa6

SHA256
2681679e2b4d463e44deb3a804646ea222e667e6a4ec654ce38b3435709d9a83

SHA512
162dd917af3bac15124cb308c7723fe8b7becb7bdedd109bc2cdb601394cbadcfcae81a27520767a9bec9fcd909ef42c610667750a8d8c9925c1463d104a8d96

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\XenonPortable_1.5.0.1.paf.exe

Filesize
1.9MB

MD5
f0616e00157533ef81c14a3cfcfaa272

SHA1
0bc0d0ada912f653d0d7caa7f08167daf7107950

SHA256
31a843353ca0c3f687d8dda69995c36ad9608a95a2e496ab6e8cedd932e7b3b0

SHA512
134dcd072e387714a0f0cbe0f7a9231d2e9b287ec5d3526262dade8d83172df99327ede60729e4ec853d1f970ccf2ccb43fff8f59858bef0a43b5329c09d1935

Download Submit
\Users\Admin\AppData\Local\Temp\nst48D5.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
\Users\Admin\AppData\Local\Temp\nst48D5.tmp\LangDLL.dll

Filesize
5KB

MD5
a401e590877ef6c928d2a97c66157094

SHA1
75e24799cf67e789fadcc8b7fddefc72fdc4cd61

SHA256
2a7f33ef64d666a42827c4dc377806ad97bc233819197adf9696aed5be5efac0

SHA512
6093415cd090e69cdcb52b5d381d0a8b3e9e5479dac96be641e0071f1add26403b27a453febd8ccfd16393dc1caa03404a369c768a580781aba3068415ee993f

Download Submit
\Users\Admin\AppData\Local\Temp\nst48D5.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads