Overview

overview

10

Static

static

10

solar_twea...up.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1804s
  • max time network
    1160s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    27-03-2024 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    solar_tweakers_setup.exe

  • Size

    62KB

  • MD5

    fcda682a867137e697be2e8797c04e67

  • SHA1

    142a06a7e8132ca2ba5e3903359a4145095faf15

  • SHA256

    e52a2ab8aa9606d67c4f6ec37dce3c95a84b00ce6cb6035b723685f82f359901

  • SHA512

    e78cd6dda18474122564822505fd3192113072c9167f3ba1ca868df5d74f4a9e0f0e279f36885defc30392dee40ba0b57bd1fe61005e0e216897ed6dc8bf8bf7

  • SSDEEP

    1536:Dw+jjgnNH9XqcnW85SbTHWIRuJ/oSDiMr7G+mD:Dw+jqV91UbTHeiMfuD

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

solar_tweakersnd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Lunar Bypasser

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\solar_tweakers_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\solar_tweakers_setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Users\Admin\AppData\Roaming\XenoManager\solar_tweakers_setup.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\solar_tweakers_setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Lunar Bypasser" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B2.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:4120
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    d787e644a5c87ff0d529178be370af85

    SHA1

    1cc3e85b27bb7a602becada3674e2ca3f06cd674

    SHA256

    609b79e146732b2231318bde6338788a61124f8d22841566ed27d563200bbb32

    SHA512

    9386d7ef12d90ef90816a80b4c5f6f6f6a840a0745d81aa8bb4e8ec773ca852107d4ff3ae81e4165d2e6695813121aff836404e0c2d29ea44f063a6cd55a02d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp6B2.tmp
    Filesize

    1KB

    MD5

    4eddf32fd769e08355f6fd99702822be

    SHA1

    2c6367436f95995244e07523d91888f9b6c824b3

    SHA256

    4599ce7e2fdfe8afbf62dcfd15e93003a43a6cab0e561ee8407a5722a98d0695

    SHA512

    5f2b6839094d95ac11da3645a5a70388bdb69f913af09613b1af6a05832e61a054fb322ca4135b590cd5b4cb681dfe212cece8311b80f88dbaee0ba48ac5d7b5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XenoManager\solar_tweakers_setup.exe
    Filesize

    62KB

    MD5

    fcda682a867137e697be2e8797c04e67

    SHA1

    142a06a7e8132ca2ba5e3903359a4145095faf15

    SHA256

    e52a2ab8aa9606d67c4f6ec37dce3c95a84b00ce6cb6035b723685f82f359901

    SHA512

    e78cd6dda18474122564822505fd3192113072c9167f3ba1ca868df5d74f4a9e0f0e279f36885defc30392dee40ba0b57bd1fe61005e0e216897ed6dc8bf8bf7

    Download Submit

  • memory/3144-0-0x00000000004B0000-0x00000000004C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3144-1-0x00000000747B0000-0x0000000074F61000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3144-15-0x00000000747B0000-0x0000000074F61000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5008-14-0x00000000747B0000-0x0000000074F61000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5008-16-0x0000000004F80000-0x0000000004F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-27-0x00000000747B0000-0x0000000074F61000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5008-28-0x0000000004F80000-0x0000000004F90000-memory.dmp

    Filesize

    64KB

    Download