Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 00:47
Behavioral task
behavioral1
Sample
fhdhdh.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
General
-
Target
fhdhdh.exe
-
Size
45KB
-
MD5
5b9894f294eca1116e1f406021efde09
-
SHA1
0c661572b82ac000383d7a50961d8be37e2a7e6f
-
SHA256
dcb0a0fd16af0e786810d4dc72ed5b06cb6345769510bba2c1a48c0bb16c076c
-
SHA512
dc907ab28bc0d4e1382151a5f9e6991cbfab9614e30eb51167a679fae8f9841ce42a098ba7b8b521415e268f868a39dceec894b3cf3e957a7b486ba847e8e099
-
SSDEEP
768:ddhO/poiiUcjlJInXzH9Xqk5nWEZ5SbTDaPWI7CPW5N:Tw+jjgnDH9XqcnW85SbTWWIl
Malware Config
Extracted
Family
xenorat
C2
47.215.162.109
Mutex
Xeno_rat_nd8912d
Attributes
-
delay
5000
-
install_path
temp
-
port
4567
-
startup_name
yes
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation fhdhdh.exe -
Executes dropped EXE 1 IoCs
pid Process 1428 fhdhdh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2132 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 492 taskmgr.exe Token: SeSystemProfilePrivilege 492 taskmgr.exe Token: SeCreateGlobalPrivilege 492 taskmgr.exe Token: 33 492 taskmgr.exe Token: SeIncBasePriorityPrivilege 492 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe 492 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 556 wrote to memory of 1428 556 fhdhdh.exe 100 PID 556 wrote to memory of 1428 556 fhdhdh.exe 100 PID 556 wrote to memory of 1428 556 fhdhdh.exe 100 PID 1428 wrote to memory of 2132 1428 fhdhdh.exe 103 PID 1428 wrote to memory of 2132 1428 fhdhdh.exe 103 PID 1428 wrote to memory of 2132 1428 fhdhdh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fhdhdh.exe"C:\Users\Admin\AppData\Local\Temp\fhdhdh.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\fhdhdh.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\fhdhdh.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "yes" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7952.tmp" /F3⤵
- Creates scheduled task(s)
PID:2132
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵PID:4532
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:81⤵PID:3724
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD55b9894f294eca1116e1f406021efde09
SHA10c661572b82ac000383d7a50961d8be37e2a7e6f
SHA256dcb0a0fd16af0e786810d4dc72ed5b06cb6345769510bba2c1a48c0bb16c076c
SHA512dc907ab28bc0d4e1382151a5f9e6991cbfab9614e30eb51167a679fae8f9841ce42a098ba7b8b521415e268f868a39dceec894b3cf3e957a7b486ba847e8e099
-
Filesize
1KB
MD52ecdddbc1f4248a10c7c102d3eeb0495
SHA12ec3fe591ebf587bed90d59a09a4282f3cc611d7
SHA256446f4101ae2327287fc50a0097428d83f93fcd7605672a4f5b3256099e9333a4
SHA51231c707e4abf096cea9cc127d67908049061ade03aab5389361915748cdf89d0f44c460c434da49619a588d7e64c03ac6c7e9f765d928750fbe3ccc5c70c88378