Overview

overview

10

Static

static

10

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2024 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    46KB

  • MD5

    75fdbc2d379d84adacfc0f521d88dd59

  • SHA1

    3a441c75c212a970b1acf547ff67d36e5b3b2767

  • SHA256

    990565da28fb5ee5655a3723add532743334ba88efc998c891344b17549d88aa

  • SHA512

    f6140ded24561c64c4f6722f88209c18cdec8e7b643b3de3777a3ba1390fc440eadfc272dff97a9d7ae040e72797d55ee662ed26df1da2ada4da96c9e071bb64

  • SSDEEP

    768:DdhO/poiiUcjlJInIwH9Xqk5nWEZ5SbTDa7WI7CPW5+:Rw+jjgnhH9XqcnW85SbTyWIG

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

192.168.178.23

Mutex

Windows_Client_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Discord Update

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Users\Admin\AppData\Roaming\XenoManager\Loader.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\Loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Discord Update" /XML "C:\Users\Admin\AppData\Local\Temp\tmp472B.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:3232
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa251846f8,0x7ffa25184708,0x7ffa25184718
      2⤵
        PID:1420
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
        2⤵
          PID:4040
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2264
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
          2⤵
            PID:2076
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
            2⤵
              PID:2532
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
              2⤵
                PID:2580
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
                2⤵
                  PID:5208
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
                  2⤵
                    PID:5216
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
                    2⤵
                      PID:5628
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5644
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                      2⤵
                        PID:5752
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
                        2⤵
                          PID:5760
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
                          2⤵
                            PID:6028
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2801981454795070366,8672857449716290306,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3760
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2764
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3236

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              e1b45169ebca0dceadb0f45697799d62

                              SHA1

                              803604277318898e6f5c6fb92270ca83b5609cd5

                              SHA256

                              4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

                              SHA512

                              357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              9ffb5f81e8eccd0963c46cbfea1abc20

                              SHA1

                              a02a610afd3543de215565bc488a4343bb5c1a59

                              SHA256

                              3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

                              SHA512

                              2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                              Filesize

                              180B

                              MD5

                              00a455d9d155394bfb4b52258c97c5e5

                              SHA1

                              2761d0c955353e1982a588a3df78f2744cfaa9df

                              SHA256

                              45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

                              SHA512

                              9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              3e091c979d663edc5c9487773263739b

                              SHA1

                              2525ad166cfe0e8e31fa6d7d6ff375a52ac079c7

                              SHA256

                              ec5ac5d3223e48a66c040dda9ac223344ab74421da88cf1eae3bfa5087462021

                              SHA512

                              33c0500081364db6875ebeeba6f9c0fb354b60d99c98210df759f73d0946020180182c0ad8fa06eb3637a1a928ed2cd913de6821014eeba6caa42b9995b1ee18

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              11f2f694f067f9c84b3c990b9f107728

                              SHA1

                              984ec9c1c429a6499624b7ec7f6dd5268cf5ab60

                              SHA256

                              679ad7c4cf1e1e072cc3adea9f547b04bd879e7a248251602ce8170fb25accc2

                              SHA512

                              7879f6e8b5a02c4bc707c4eaf41541b2e86493f6567ce87b817db8efcdc46e28582c38a9c9559fc7e72e6e1fb96393d38694a9750d5d21e74f1c650041eb0ff8

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              15fbcdb975924c777f45b3783b4d617c

                              SHA1

                              7a4fa6c013cdda8488c51232adf0a339912c2e1d

                              SHA256

                              dd559c39f65d2171b417ba1fda16d102aa22cb8a64cc64e56f54fb34b844a055

                              SHA512

                              a93f295d701bb210b58722982b84831236ae22fd4f990ae08b1d0ffac45468cdc2dcc37c43549b1f26302ed48ff564e39a28cb96f82e7f49260d89339faf6c0f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              e5c7ec27ab0b71197d75edf384d1cc30

                              SHA1

                              d817422a88e14d4e8ba996021f0f980cb72ffccb

                              SHA256

                              0cc45c64de6ac8fb63a13a5563cfdd38fdd75b12a2824309490c5d57f8ac4d1e

                              SHA512

                              01a75e6a6e019482db9c0c08529bc17ba94c17e45f3dff2dd1bf64503157f4e6592356ac48cb63fbd03c4ecfe8cb9fc1e9965c579659e6699b376f94788a68df

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmp472B.tmp
                              Filesize

                              1KB

                              MD5

                              98ec19a37c08a1707467b39a05d92fc8

                              SHA1

                              f530e07fc098aa26f0b5c7ff7f481c35794a18f0

                              SHA256

                              df1c791bbfb73bb139e5c3002e7adba14af7a131d3877ed1d0e0ca19bd4a6fbc

                              SHA512

                              1cf644d7654609eaa85580c48d89e8c2b78feaa378e5447f5c3c11d8c5fc501353aca6c73c4beb4641f816833b06faa59a9c450bfe97e27c5f7f1a8dfde59701

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\XenoManager\Loader.exe
                              Filesize

                              46KB

                              MD5

                              75fdbc2d379d84adacfc0f521d88dd59

                              SHA1

                              3a441c75c212a970b1acf547ff67d36e5b3b2767

                              SHA256

                              990565da28fb5ee5655a3723add532743334ba88efc998c891344b17549d88aa

                              SHA512

                              f6140ded24561c64c4f6722f88209c18cdec8e7b643b3de3777a3ba1390fc440eadfc272dff97a9d7ae040e72797d55ee662ed26df1da2ada4da96c9e071bb64

                              Download Submit

                            • memory/4688-0-0x0000000000620000-0x0000000000632000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/4688-14-0x0000000074540000-0x0000000074CF0000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4688-1-0x0000000074540000-0x0000000074CF0000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4912-15-0x0000000074540000-0x0000000074CF0000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4912-58-0x00000000050C0000-0x00000000050D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4912-55-0x0000000074540000-0x0000000074CF0000-memory.dmp

                              Filesize

                              7.7MB

                              Download

                            • memory/4912-16-0x00000000050C0000-0x00000000050D0000-memory.dmp

                              Filesize

                              64KB

                              Download