Overview

overview

10

Static

static

10

loader69.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    164s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-04-2024 00:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader69.exe

  • Size

    208KB

  • MD5

    469f772a8aa04641c8de438a50d65d25

  • SHA1

    ef3fef941abf28a494b6dcbf50c0b42a16ecd8dc

  • SHA256

    e68cc5f5b9cdb5283d1300cf720de52d0c1ff1e0289364d15e04ac061e067e8a

  • SHA512

    fd6f0c0e02743e9f68958eae9f97b96066d8f72b20480eee3c0c6f472784f144e00ce9cc72c9d7ac8c124b46a234283f668645e27bd98b400c33dbfba81235c9

  • SSDEEP

    1536:Pw+jjgnqlF2I8H9XqcnW85SbTkuIia6c:Pw+jqqlFfG91UbTkA9c

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

192.168.1.167

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4567

  • startup_name

    Chrome

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SendNotifyMessage 53 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader69.exe
    "C:\Users\Admin\AppData\Local\Temp\loader69.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Roaming\XenoManager\loader69.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\loader69.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4532
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Chrome" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CDC.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:4892
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2572
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:440
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.0.586984355\1903717423" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {194b4374-8f52-4096-8f8d-84487e27927e} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 1768 16db17d9858 gpu
          3⤵
            PID:944
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.1.1696217699\37246594" -parentBuildID 20221007134813 -prefsHandle 2112 -prefMapHandle 2108 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f12084df-4f20-4fd8-ae1c-00bff8967cdb} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 2124 16da6572b58 socket
            3⤵
              PID:520
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.2.1133029386\1366698168" -childID 1 -isForBrowser -prefsHandle 2848 -prefMapHandle 2864 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f4de877-0148-4d25-9d01-0280cdc21bfa} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 2624 16db5799458 tab
              3⤵
                PID:2464
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.3.766789924\1491565701" -childID 2 -isForBrowser -prefsHandle 3448 -prefMapHandle 3444 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0e1e731-3f07-4a76-bb61-09e14446565b} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 3456 16da6567558 tab
                3⤵
                  PID:2060
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.4.172051129\2114850527" -childID 3 -isForBrowser -prefsHandle 4152 -prefMapHandle 4148 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {624d3c24-888b-4125-af4a-98b0b65f342c} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 4164 16db6bed558 tab
                  3⤵
                    PID:3620
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.5.1044803391\823640074" -childID 4 -isForBrowser -prefsHandle 4864 -prefMapHandle 4880 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09f27c20-cf19-4bbd-a94e-2c787e263163} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 4856 16da6568d58 tab
                    3⤵
                      PID:1116
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.6.1243131156\1052016289" -childID 5 -isForBrowser -prefsHandle 4992 -prefMapHandle 4996 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8552f141-a32a-40e8-ae56-e660b58bc024} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 4984 16db768c558 tab
                      3⤵
                        PID:4616
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1452.7.1893365276\222557738" -childID 6 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f40383f-026f-4358-8259-528d9628ed1f} 1452 "\\.\pipe\gecko-crash-server-pipe.1452" 5140 16db7fe5b58 tab
                        3⤵
                          PID:4576

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\loader69.exe.log
                      Filesize

                      226B

                      MD5

                      957779c42144282d8cd83192b8fbc7cf

                      SHA1

                      de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

                      SHA256

                      0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

                      SHA512

                      f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\tmp9CDC.tmp
                      Filesize

                      1KB

                      MD5

                      bfed47980ac854ce5a1292ad5bf853fd

                      SHA1

                      5b473ed8aeeb843173832354cba4e2a2d2889c33

                      SHA256

                      f5efead213b676200e31176fe5976259655bfd8ffb21bc967b0b0944e5e3a3c2

                      SHA512

                      49b6590bd913cf8bdd3c036c3678510ceb074307efecc0f8d26ab455481d461e3d5df90b022ee027960a07f40befcabcc41e770f5b38ebd35ded34bf470e9082

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      9KB

                      MD5

                      7ab1a71c6a2df0621feeb378c46b297e

                      SHA1

                      5adaaffd74cbd4551db6fc7e4ab29989f5b6d68f

                      SHA256

                      c138cf3cf512703794cf7537c915c43c447f92cb640c76056e4be3ccd2d340ee

                      SHA512

                      4510363644de74a740086af572569b7e626d81f5b0fac8f5aaaa3e57fd076c6cd396d50f4ba34f0e0931ccc417df463502ca2aa252e84af6e80376bd41d92d67

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\90eedbad-8ba6-4c0c-b501-71aad11b09df
                      Filesize

                      734B

                      MD5

                      69be7c20ece15f67d5645937e867f22c

                      SHA1

                      cb0468f529860eb7729b8363a7577022de4d5ed9

                      SHA256

                      cf24de7da3d710bd304ce86e553f10d13016a7eaf62e983cc29e0873787d1c96

                      SHA512

                      a829e43355e986e8340b01671a4b3cfb0c740880243ae07b8c44962082f5ead6822fc41201f7680a997ff76fa15589727689a9ece2489a277b96b14c9a46a5e8

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      7bdb4ea863f1051c93662d887cea9250

                      SHA1

                      af8e5677d4831a4c08b016d1b07a10a1226a212d

                      SHA256

                      44185ee4ffc5a2d846a16af7b378c346bae5310b908c9765e2c8c7165ca49afd

                      SHA512

                      213ce0251133b11aa7e55b47acd48a9bc30610f3bc66e412315c7f90022a33cc1c379f5a03b65de3e276d3080596efaca02341d0a24eef2d9c1740947602ab16

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      dc20cbcbc8d077ab33b1eab3a14b0a22

                      SHA1

                      dfc8f0ea1720303465e28d8df830fc7ebe7afa35

                      SHA256

                      c441c86aa6fc9c1fab3679f2d919f09627c09fb0755c2e56b71f98acf7319d20

                      SHA512

                      fc8d7a7b889dd31af1e7ff806c93cba5005d4b5fd0debd45793ae7e050a6142d3795d24eda3e35a1d4b85bd5c9486c5686906f8143ac32a9309b1d8d6e90754f

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      4e18f64d36b17e98f6c3cd7e4f51fa46

                      SHA1

                      1773470f0e8ca722967794bf4348d4205ed43247

                      SHA256

                      b31a92a98163e415580e8001b150a9cd71c807faa81b355403a75acd44ae923c

                      SHA512

                      765b8768bfba05244abaa455d7981cf927a757e940a5924c2aedac1df79be94e35f6e740fd453dada8f959eddc86c31cbf7e7b97818f7f5be00628df8e2ce6f2

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      1KB

                      MD5

                      dea7c9eb2707a6f94a2090bb6098eb4c

                      SHA1

                      80e3269db452cf40399643d7e962f639d7774e40

                      SHA256

                      4e8ac61563a58aab7f7f65e8de407eacf2f56847079ed9889a5f46c6d7dae1b3

                      SHA512

                      c615f024a9cfbd1f28dabdb920226b750088224b08fda3d105e358023e6a533ee601b5ada39cfdf371edb5ea72e62992c089030b33a9d4fd978b9e7c2cf62d7c

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                      Filesize

                      184KB

                      MD5

                      5b5493b3123996c6a0995b5cfbb52842

                      SHA1

                      2a1246f87c8aef3cddd245e62653bb561907e3ca

                      SHA256

                      ae2b57f0858c3dd823cc3fcd51aaae3cf6709f69c3fa17a5f901ef9fa1edec5e

                      SHA512

                      aaf365e8546cb7149a7c52db6f493b4b7ac5757b8828b23e6839a7c81db92c3875e71568f3d77e39089acfeb14c58fd95e938fb1b6908b284c279c8a94f597b8

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\XenoManager\loader69.exe
                      Filesize

                      208KB

                      MD5

                      469f772a8aa04641c8de438a50d65d25

                      SHA1

                      ef3fef941abf28a494b6dcbf50c0b42a16ecd8dc

                      SHA256

                      e68cc5f5b9cdb5283d1300cf720de52d0c1ff1e0289364d15e04ac061e067e8a

                      SHA512

                      fd6f0c0e02743e9f68958eae9f97b96066d8f72b20480eee3c0c6f472784f144e00ce9cc72c9d7ac8c124b46a234283f668645e27bd98b400c33dbfba81235c9

                      Download Submit

                    • memory/2112-9-0x00000000734C0000-0x0000000073BAE000-memory.dmp

                      Filesize

                      6.9MB

                      Download

                    • memory/2112-0-0x0000000000620000-0x000000000065A000-memory.dmp

                      Filesize

                      232KB

                      Download

                    • memory/2112-1-0x00000000734C0000-0x0000000073BAE000-memory.dmp

                      Filesize

                      6.9MB

                      Download

                    • memory/4532-10-0x00000000734C0000-0x0000000073BAE000-memory.dmp

                      Filesize

                      6.9MB

                      Download

                    • memory/4532-20-0x0000000004A20000-0x0000000004A30000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/4532-19-0x00000000734C0000-0x0000000073BAE000-memory.dmp

                      Filesize

                      6.9MB

                      Download

                    • memory/4532-11-0x0000000004A20000-0x0000000004A30000-memory.dmp

                      Filesize

                      64KB

                      Download