Overview

overview

10

Static

static

10

0b4ced1e11...19.exe

windows7-x64

10

0b4ced1e11...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2024 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b4ced1e11fac0306ee8d9411aea4219.exe

  • Size

    45KB

  • MD5

    0b4ced1e11fac0306ee8d9411aea4219

  • SHA1

    254c74fa4b822381dfb2d258ad77b9935ad619c6

  • SHA256

    4edcb51c961470638828b8f48a0259fb4b9645192f0b30e1d79b789c9b4c4d7f

  • SHA512

    76d0b8d66a84ac66b6ba6a08ad5e2e9ee1f9893c182b4e1be1f236a69bdbeb91139a1b8936e87eb2fed44627f5afc63a30404e279d840a27e5de0926a7a07eed

  • SSDEEP

    768:tdhO/poiiUcjlJInLzo4mH9Xqk5nWEZ5SbTDaoWI7CPW5V:jw+jjgnw4mH9XqcnW85SbTJWId

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

217.63.234.90

Mutex

Xeno_rat_nd8912ddd

Attributes
  • delay

    3500

  • install_path

    appdata

  • port

    8808

  • startup_name

    svchost.exe

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b4ced1e11fac0306ee8d9411aea4219.exe
    "C:\Users\Admin\AppData\Local\Temp\0b4ced1e11fac0306ee8d9411aea4219.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4340
    • C:\Users\Admin\AppData\Roaming\XenoManager\0b4ced1e11fac0306ee8d9411aea4219.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\0b4ced1e11fac0306ee8d9411aea4219.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp956A.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:3440
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4252

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0b4ced1e11fac0306ee8d9411aea4219.exe.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp956A.tmp
      Filesize

      1KB

      MD5

      d685e81a4021b0fdb2a815ea7152e088

      SHA1

      26b5ba5236125e919697f5650ce7c09afa1c0984

      SHA256

      3b4c9739dcd5ed1c40bd34d3e4478e93e6136e6700f19b6100cd8130563301ab

      SHA512

      17ec260fa73f78df37c852cf6be32bf7ac314f6370970468c7f9dc05ce879c256303921881aab4734810225da6858b6f4940e76920a30080711d4f71add6f860

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XenoManager\0b4ced1e11fac0306ee8d9411aea4219.exe
      Filesize

      45KB

      MD5

      0b4ced1e11fac0306ee8d9411aea4219

      SHA1

      254c74fa4b822381dfb2d258ad77b9935ad619c6

      SHA256

      4edcb51c961470638828b8f48a0259fb4b9645192f0b30e1d79b789c9b4c4d7f

      SHA512

      76d0b8d66a84ac66b6ba6a08ad5e2e9ee1f9893c182b4e1be1f236a69bdbeb91139a1b8936e87eb2fed44627f5afc63a30404e279d840a27e5de0926a7a07eed

      Download Submit

    • memory/4340-1-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4340-0-0x00000000007D0000-0x00000000007E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4340-15-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4924-16-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4924-17-0x00000000051F0000-0x0000000005200000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4924-20-0x0000000075180000-0x0000000075930000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4924-21-0x00000000051F0000-0x0000000005200000-memory.dmp

      Filesize

      64KB

      Download