0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9

Analysis

max time kernel
37s
max time network
25s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04/04/2024, 16:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Xenos64.exe
Size

1.3MB
MD5

6f0dd4150efddfc20b70401479964211
SHA1

e97c802a8013b13fb91a831b779ade7c3ca6870b
SHA256

0e6d59fcdf8f143e23b076cc8380d6d23324839ae4f91793133b600e7eb76eb9
SHA512

d8e823876507cd10b8c176e502c99bb80d52742eaa7c0e319b2a5c1f605de962505bf09950418a461fde427db34a59dbb67cbb4a6045f44d243c77945aebd0fb
SSDEEP

24576:uLGfO4noYBPtVY3HPou37urInN48pGrnofSVgPCS3tMrMyj3F9hIF1SqY5cbaF:uLGfKY5tVY3gur9N4p0SVE3tMx3FE1Sr

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\Content Type = "Application/xml"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --load %1"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\ = "Xenos 64-bit injection profile"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe --run %1"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xenos64.exe,-135"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\ = "XenosProfile64"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run	Xenos64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\ = "Run"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Xenos64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Xenos64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Xenos64.exe
Key created	\REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Xenos64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	Xenos64.exe
2212	Xenos64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2212	Xenos64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	Xenos64.exe
Token: SeLoadDriverPrivilege	2212	Xenos64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2212	Xenos64.exe
2212	Xenos64.exe

C:\Users\Admin\AppData\Local\Temp\Xenos64.exe
"C:\Users\Admin\AppData\Local\Temp\Xenos64.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2212-10-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download
memory/2212-11-0x00000000022E0000-0x00000000024BB000-memory.dmp

Filesize
1.9MB

Download
memory/2212-33-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download
memory/2212-35-0x0000000000050000-0x0000000000150000-memory.dmp

Filesize
1024KB

Download