Overview

overview

10

Static

static

10

SysUpd.exe

windows7-x64

10

SysUpd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2024 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SysUpd.exe

  • Size

    45KB

  • MD5

    0c0a54e961d1aead20b9c4a75b3723d4

  • SHA1

    9a87e7e509175d096477c8d3f2e3bed94f8d646a

  • SHA256

    3ac1adc75ac38013eb7f2aa103c624b7ef5a628333b929841c043890aee42b79

  • SHA512

    c9ffbbcc79198dbb3439976ec1e19c7a01bebd9e74af0a87f240f57cc48e1f1f09c1ee870b3f0690f72f23ffacc5180c6904540eb677b0ec69993b1ae3c0d397

  • SSDEEP

    768:tdhO/poiiUcjlJIn8zH9Xqk5nWEZ5SbTDa/WI7CPW5V:jw+jjgn+H9XqcnW85SbTGWId

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

192.168.1.68

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    SysUpd

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SysUpd.exe
    "C:\Users\Admin\AppData\Local\Temp\SysUpd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "SysUpd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF82B.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:4792
  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\RequestPush.ppsm" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3572
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4364
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2192

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpF82B.tmp
        Filesize

        1KB

        MD5

        561c077a6f6e44fe5e3732633448ee0f

        SHA1

        d0c8a6f3ca14bb07e5480213bd05b6cded9fdd37

        SHA256

        ed1feae16131c24c3c9ecad996928a6abb86e5b6095905c7da1531ff2a47ce88

        SHA512

        5a00840f33b24355dad3049adf99ce04c6da53eff0f08802c0ca49d0ef6cb9b91b10c0b767be1ad9163409800272369655cc94b59d7d7cda7fe25fb6bc367cea

        Download Submit

      • C:\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe
        Filesize

        45KB

        MD5

        0c0a54e961d1aead20b9c4a75b3723d4

        SHA1

        9a87e7e509175d096477c8d3f2e3bed94f8d646a

        SHA256

        3ac1adc75ac38013eb7f2aa103c624b7ef5a628333b929841c043890aee42b79

        SHA512

        c9ffbbcc79198dbb3439976ec1e19c7a01bebd9e74af0a87f240f57cc48e1f1f09c1ee870b3f0690f72f23ffacc5180c6904540eb677b0ec69993b1ae3c0d397

        Download Submit

      • memory/864-0-0x00000000744E0000-0x0000000074C90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/864-1-0x0000000000010000-0x0000000000022000-memory.dmp

        Filesize

        72KB

        Download

      • memory/864-16-0x00000000744E0000-0x0000000074C90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3572-23-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3572-26-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3572-18-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-19-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3572-20-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-21-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3572-22-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-51-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3572-24-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3572-17-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-25-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-27-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3572-28-0x00007FF962170000-0x00007FF962180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-29-0x00007FF962170000-0x00007FF962180000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3572-50-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4284-48-0x00000000744E0000-0x0000000074C90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4284-49-0x0000000004A00000-0x0000000004A10000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4284-14-0x00000000744E0000-0x0000000074C90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4284-15-0x0000000004A00000-0x0000000004A10000-memory.dmp

        Filesize

        64KB

        Download