xenorat | 3ac1adc75ac38013eb7f2aa103c624b7ef5a628333b929841c043890aee42b79

General

Target

SysUpd.exe
Size

45KB
MD5

0c0a54e961d1aead20b9c4a75b3723d4
SHA1

9a87e7e509175d096477c8d3f2e3bed94f8d646a
SHA256

3ac1adc75ac38013eb7f2aa103c624b7ef5a628333b929841c043890aee42b79
SHA512

c9ffbbcc79198dbb3439976ec1e19c7a01bebd9e74af0a87f240f57cc48e1f1f09c1ee870b3f0690f72f23ffacc5180c6904540eb677b0ec69993b1ae3c0d397
SSDEEP

768:tdhO/poiiUcjlJIn8zH9Xqk5nWEZ5SbTDa/WI7CPW5V:jw+jjgn+H9XqcnW85SbTGWId

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

192.168.1.68

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
SysUpd

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

SysUpd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation SysUpd.exe
Executes dropped EXE 1 IoCs

Processes:

SysUpd.exe

pid process

4284 SysUpd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	SysUpd.exe

pid	process
4284	SysUpd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4792 schtasks.exe

pid	process
4792	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3572 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

POWERPNT.EXE

pid process

3572 POWERPNT.EXE
3572 POWERPNT.EXE

pid	process
3572	POWERPNT.EXE

pid	process
3572	POWERPNT.EXE
3572	POWERPNT.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SysUpd.exeSysUpd.exe

description	pid	process	target process
PID 864 wrote to memory of 4284	864	SysUpd.exe	SysUpd.exe
PID 864 wrote to memory of 4284	864	SysUpd.exe	SysUpd.exe
PID 864 wrote to memory of 4284	864	SysUpd.exe	SysUpd.exe
PID 4284 wrote to memory of 4792	4284	SysUpd.exe	schtasks.exe
PID 4284 wrote to memory of 4792	4284	SysUpd.exe	schtasks.exe
PID 4284 wrote to memory of 4792	4284	SysUpd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SysUpd.exe
"C:\Users\Admin\AppData\Local\Temp\SysUpd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "SysUpd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF82B.tmp" /F
3⤵
- Creates scheduled task(s)
PID:4792

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\RequestPush.ppsm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF82B.tmp
Filesize
1KB

MD5
561c077a6f6e44fe5e3732633448ee0f

SHA1
d0c8a6f3ca14bb07e5480213bd05b6cded9fdd37

SHA256
ed1feae16131c24c3c9ecad996928a6abb86e5b6095905c7da1531ff2a47ce88

SHA512
5a00840f33b24355dad3049adf99ce04c6da53eff0f08802c0ca49d0ef6cb9b91b10c0b767be1ad9163409800272369655cc94b59d7d7cda7fe25fb6bc367cea

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\SysUpd.exe
Filesize
45KB

MD5
0c0a54e961d1aead20b9c4a75b3723d4

SHA1
9a87e7e509175d096477c8d3f2e3bed94f8d646a

SHA256
3ac1adc75ac38013eb7f2aa103c624b7ef5a628333b929841c043890aee42b79

SHA512
c9ffbbcc79198dbb3439976ec1e19c7a01bebd9e74af0a87f240f57cc48e1f1f09c1ee870b3f0690f72f23ffacc5180c6904540eb677b0ec69993b1ae3c0d397

Download Submit
memory/864-0-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/864-1-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/864-16-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3572-23-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

Filesize
2.0MB

Download
memory/3572-26-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

Filesize
2.0MB

Download
memory/3572-18-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

Filesize
64KB

Download
memory/3572-19-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

Filesize
2.0MB

Download
memory/3572-20-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

Filesize
64KB

Download
memory/3572-21-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

Filesize
2.0MB

Download
memory/3572-22-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

Filesize
64KB

Download
memory/3572-51-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

Filesize
2.0MB

Download
memory/3572-24-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

Filesize
2.0MB

Download
memory/3572-17-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

Filesize
64KB

Download
memory/3572-25-0x00007FF9642F0000-0x00007FF964300000-memory.dmp

Filesize
64KB

Download
memory/3572-27-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

Filesize
2.0MB

Download
memory/3572-28-0x00007FF962170000-0x00007FF962180000-memory.dmp

Filesize
64KB

Download
memory/3572-29-0x00007FF962170000-0x00007FF962180000-memory.dmp

Filesize
64KB

Download
memory/3572-50-0x00007FF9A4270000-0x00007FF9A4465000-memory.dmp

Filesize
2.0MB

Download
memory/4284-48-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4284-49-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4284-14-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4284-15-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads