Malware Analysis Report

2024-10-19 07:53

Sample ID 240315-14n9eaea94
Target DLLRestoration_V2.exe
SHA256 58286c66f3f0a8333f52c72eeddca15a7622ba072aee9b9957e5ba6214ecdf02
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58286c66f3f0a8333f52c72eeddca15a7622ba072aee9b9957e5ba6214ecdf02

Threat Level: Known bad

The file DLLRestoration_V2.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

Xenorat family

XenorRat

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 22:12

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 22:12

Reported

2024-03-15 22:15

Platform

win7-20240221-en

Max time kernel

132s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DLLRestoration_V2.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\DLLRestoration_V2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DLLRestoration_V2.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DLLRestoration_V2.exe

"C:\Users\Admin\AppData\Local\Temp\DLLRestoration_V2.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\DLLRestoration_V2.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\DLLRestoration_V2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "FortniteRuntime.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2481.tmp" /F

Network

Country Destination Domain Proto
N/A 192.168.86.56:4444 tcp
N/A 192.168.86.56:4444 tcp
N/A 192.168.86.56:4444 tcp
N/A 192.168.86.56:4444 tcp
N/A 192.168.86.56:4444 tcp

Files

memory/1956-0-0x00000000000D0000-0x00000000000E2000-memory.dmp

memory/1956-1-0x0000000074520000-0x0000000074C0E000-memory.dmp

\Users\Admin\AppData\Roaming\XenoManager\DLLRestoration_V2.exe

MD5 38b365866e8a51056647e64c32bcd64e
SHA1 894e0286e2e21dc448eb916ffa8e2bbfaf068355
SHA256 58286c66f3f0a8333f52c72eeddca15a7622ba072aee9b9957e5ba6214ecdf02
SHA512 92ce606aa6ac5ed3c3569fdbf3496317cab2a3d13cf339dc63b51b0f511f2d7e29855c4d7bcb32c3227d9ffabec5f9a471e89338b2ac448c9756470439c140ca

memory/2944-9-0x00000000009B0000-0x00000000009C2000-memory.dmp

memory/2944-10-0x0000000074520000-0x0000000074C0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2481.tmp

MD5 4cf4503dfc2237d62eade38bc45963d5
SHA1 5587f68085e30a7ca893b75855df95a2f2018154
SHA256 e1be0c18b4d44c0a15205f19fa1a84e39efbdacdc68563458c3b63a730a8b540
SHA512 3f8cb093f419bd492c8695231572f7688747898aa4362824d36d958b1157476cb481c8f08a899a473c565ee25a6582fd533697aa66037138985b477685afd7a7

memory/2944-13-0x0000000004870000-0x00000000048B0000-memory.dmp

memory/1956-14-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/2944-15-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/2944-16-0x0000000004870000-0x00000000048B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 22:12

Reported

2024-03-15 22:15

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DLLRestoration_V2.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DLLRestoration_V2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\DLLRestoration_V2.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DLLRestoration_V2.exe

"C:\Users\Admin\AppData\Local\Temp\DLLRestoration_V2.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\DLLRestoration_V2.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\DLLRestoration_V2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "FortniteRuntime.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 192.168.86.56:4444 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 192.168.86.56:4444 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
N/A 192.168.86.56:4444 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 192.168.86.56:4444 tcp
N/A 192.168.86.56:4444 tcp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/3212-0-0x00000000002A0000-0x00000000002B2000-memory.dmp

memory/3212-1-0x00000000744D0000-0x0000000074C80000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\DLLRestoration_V2.exe

MD5 38b365866e8a51056647e64c32bcd64e
SHA1 894e0286e2e21dc448eb916ffa8e2bbfaf068355
SHA256 58286c66f3f0a8333f52c72eeddca15a7622ba072aee9b9957e5ba6214ecdf02
SHA512 92ce606aa6ac5ed3c3569fdbf3496317cab2a3d13cf339dc63b51b0f511f2d7e29855c4d7bcb32c3227d9ffabec5f9a471e89338b2ac448c9756470439c140ca

memory/1564-14-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/3212-15-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/1564-16-0x0000000005620000-0x0000000005630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7F03.tmp

MD5 4cf4503dfc2237d62eade38bc45963d5
SHA1 5587f68085e30a7ca893b75855df95a2f2018154
SHA256 e1be0c18b4d44c0a15205f19fa1a84e39efbdacdc68563458c3b63a730a8b540
SHA512 3f8cb093f419bd492c8695231572f7688747898aa4362824d36d958b1157476cb481c8f08a899a473c565ee25a6582fd533697aa66037138985b477685afd7a7

memory/1564-19-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/1564-20-0x0000000005620000-0x0000000005630000-memory.dmp