Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04/04/2024, 17:01
General
-
Target
Hmm.exe
-
Size
45KB
-
MD5
67ac400542ed1106c27e0c0958ea358b
-
SHA1
3469e557ddd63b7c13a55475d7e9911dce9778ba
-
SHA256
056711aee2b3c17d3d43ac64740d1b487e1d4a1b741a445dd3d6f1939785ede3
-
SHA512
988106796b5017e082154b997a35428369aa628831386e99c15fc6b8ee02676b08e319e97964c8b91d7d71434e5e1d775a3c563ce63cf69994191013fbc33de4
-
SSDEEP
768:SdhO/poiiUcjlJIn+lH9Xqk5nWEZ5SbTDa/WI7CPW5h:0w+jjgn+H9XqcnW85SbTmWI5
Malware Config
Extracted
Family
xenorat
C2
127.0.0.1
Mutex
Xeno_rat_nd8912d
Attributes
-
delay
5000
-
install_path
nothingset
-
port
4444
-
startup_name
Updater
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1364 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4352 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4352 taskmgr.exe Token: SeSystemProfilePrivilege 4352 taskmgr.exe Token: SeCreateGlobalPrivilege 4352 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe 4352 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1364 2412 Hmm.exe 75 PID 2412 wrote to memory of 1364 2412 Hmm.exe 75 PID 2412 wrote to memory of 1364 2412 Hmm.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hmm.exe"C:\Users\Admin\AppData\Local\Temp\Hmm.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp787C.tmp" /F2⤵
- Creates scheduled task(s)
PID:1364
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4352
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3440
-
C:\Windows\System32\-rqqg4.exe"C:\Windows\System32\-rqqg4.exe"1⤵PID:5116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c2238ac7825bd568226e753fba8a31d0
SHA1d9e6a8b98fe452eee8f5537485b29235f18d900a
SHA2567475295b7f41afb877264e421d47a085d746c8b9e74d56c13781b11316296790
SHA5122318dd10175a300539d50c5fb37f2750414c75efc9a30f5b0ef5c2bb2aa814ec4caca03230dfed06d0a17a7651c47428ea28844079d70610a9de187fc907f498