Analysis
-
max time kernel
296s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 04:13
Behavioral task
behavioral1
Sample
XenoLauncher.exe
Resource
win7-20240215-en
General
-
Target
XenoLauncher.exe
-
Size
45KB
-
MD5
2d24883f3fb3ff9ea58f372da291070a
-
SHA1
d2fdd563387cfaaabaa681297a49f26a7ce43d0f
-
SHA256
8fd932b34f74af94e07d3b2ed14b8a3630a30f3c19ebe987fead0e63ae2a4a9b
-
SHA512
6ee0cbe3da9d2d88ce3269c56009217408ea6e73641f4b691b17a2903a2532347ce3666439ece77f7d868d3daa5028133dfd27f4a4beb6024e97e5ac5c32279e
-
SSDEEP
768:SdhO/poiiUcjlJIn/sWH9Xqk5nWEZ5SbTDauuI7CPW5h:0w+jjgnPH9XqcnW85SbTDuIp
Malware Config
Extracted
xenorat
127.0.0.1
XenoLauncher
-
delay
5000
-
install_path
temp
-
port
4444
-
startup_name
Discord
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2548 XenoLauncher.exe -
Loads dropped DLL 1 IoCs
pid Process 2972 XenoLauncher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1036 schtasks.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2548 2972 XenoLauncher.exe 28 PID 2972 wrote to memory of 2548 2972 XenoLauncher.exe 28 PID 2972 wrote to memory of 2548 2972 XenoLauncher.exe 28 PID 2972 wrote to memory of 2548 2972 XenoLauncher.exe 28 PID 2972 wrote to memory of 2548 2972 XenoLauncher.exe 28 PID 2972 wrote to memory of 2548 2972 XenoLauncher.exe 28 PID 2972 wrote to memory of 2548 2972 XenoLauncher.exe 28 PID 2548 wrote to memory of 1036 2548 XenoLauncher.exe 29 PID 2548 wrote to memory of 1036 2548 XenoLauncher.exe 29 PID 2548 wrote to memory of 1036 2548 XenoLauncher.exe 29 PID 2548 wrote to memory of 1036 2548 XenoLauncher.exe 29 PID 2548 wrote to memory of 1036 2548 XenoLauncher.exe 29 PID 2548 wrote to memory of 1036 2548 XenoLauncher.exe 29 PID 2548 wrote to memory of 1036 2548 XenoLauncher.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\XenoLauncher.exe"C:\Users\Admin\AppData\Local\Temp\XenoLauncher.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\XenoLauncher.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\XenoLauncher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Discord" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27DB.tmp" /F3⤵
- Creates scheduled task(s)
PID:1036
-
-
Network
- No results found
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c1ca01e27b201d9e2dcfd94089f30279
SHA1b005c1d1a2110c55cd16379d745fde185f1e7d00
SHA256f4a3cb5790a61b097587c918b376a82bc7e9b393079e1663ed8a7aa43a71e4a0
SHA51236339257ac0c937eac75ff8f0037821ea633ac9eca52f01d9e14f5afe7592ee0c98b34950c87d13442c3dfdf0ef477103930b27a1f95254fd921ac389d0c9c8a
-
Filesize
45KB
MD52d24883f3fb3ff9ea58f372da291070a
SHA1d2fdd563387cfaaabaa681297a49f26a7ce43d0f
SHA2568fd932b34f74af94e07d3b2ed14b8a3630a30f3c19ebe987fead0e63ae2a4a9b
SHA5126ee0cbe3da9d2d88ce3269c56009217408ea6e73641f4b691b17a2903a2532347ce3666439ece77f7d868d3daa5028133dfd27f4a4beb6024e97e5ac5c32279e