xenorat | 3ac1adc75ac38013eb7f2aa103c624b7ef5a628333b929841c043890aee42b79

Analysis

max time kernel
41s
max time network
54s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SysUpd.exe
Size

45KB
MD5

0c0a54e961d1aead20b9c4a75b3723d4
SHA1

9a87e7e509175d096477c8d3f2e3bed94f8d646a
SHA256

3ac1adc75ac38013eb7f2aa103c624b7ef5a628333b929841c043890aee42b79
SHA512

c9ffbbcc79198dbb3439976ec1e19c7a01bebd9e74af0a87f240f57cc48e1f1f09c1ee870b3f0690f72f23ffacc5180c6904540eb677b0ec69993b1ae3c0d397
SSDEEP

768:tdhO/poiiUcjlJIn8zH9Xqk5nWEZ5SbTDa/WI7CPW5V:jw+jjgn+H9XqcnW85SbTGWId

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.1.68

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
SysUpd

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

SysUpd.exe

pid process

2928 SysUpd.exe
Loads dropped DLL 1 IoCs

Processes:

SysUpd.exe

pid process

1504 SysUpd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2948 schtasks.exe

pid	process
2928	SysUpd.exe

pid	process
1504	SysUpd.exe

pid	process
2948	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SysUpd.exeSysUpd.exe

description	pid	process	target process
PID 1504 wrote to memory of 2928	1504	SysUpd.exe	SysUpd.exe
PID 1504 wrote to memory of 2928	1504	SysUpd.exe	SysUpd.exe
PID 1504 wrote to memory of 2928	1504	SysUpd.exe	SysUpd.exe
PID 1504 wrote to memory of 2928	1504	SysUpd.exe	SysUpd.exe
PID 2928 wrote to memory of 2948	2928	SysUpd.exe	schtasks.exe
PID 2928 wrote to memory of 2948	2928	SysUpd.exe	schtasks.exe
PID 2928 wrote to memory of 2948	2928	SysUpd.exe	schtasks.exe
PID 2928 wrote to memory of 2948	2928	SysUpd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SysUpd.exe
"C:\Users\Admin\AppData\Local\Temp\SysUpd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "SysUpd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81CD.tmp" /F
3⤵
- Creates scheduled task(s)
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp81CD.tmp
Filesize
1KB

MD5
561c077a6f6e44fe5e3732633448ee0f

SHA1
d0c8a6f3ca14bb07e5480213bd05b6cded9fdd37

SHA256
ed1feae16131c24c3c9ecad996928a6abb86e5b6095905c7da1531ff2a47ce88

SHA512
5a00840f33b24355dad3049adf99ce04c6da53eff0f08802c0ca49d0ef6cb9b91b10c0b767be1ad9163409800272369655cc94b59d7d7cda7fe25fb6bc367cea

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe
Filesize
45KB

MD5
0c0a54e961d1aead20b9c4a75b3723d4

SHA1
9a87e7e509175d096477c8d3f2e3bed94f8d646a

SHA256
3ac1adc75ac38013eb7f2aa103c624b7ef5a628333b929841c043890aee42b79

SHA512
c9ffbbcc79198dbb3439976ec1e19c7a01bebd9e74af0a87f240f57cc48e1f1f09c1ee870b3f0690f72f23ffacc5180c6904540eb677b0ec69993b1ae3c0d397

Download Submit
memory/1504-0-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/1504-1-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-10-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-9-0x0000000001040000-0x0000000001052000-memory.dmp

Filesize
72KB

Download
memory/2928-11-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-14-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download
memory/2928-15-0x0000000074D80000-0x000000007546E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-16-0x0000000000410000-0x0000000000450000-memory.dmp

Filesize
256KB

Download