Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 03:19 UTC
Behavioral task
behavioral1
Sample
XenarWare.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XenarWare.exe
Resource
win10v2004-20240412-en
General
-
Target
XenarWare.exe
-
Size
59KB
-
MD5
88f95b4a2d5af8ee7893a11abecb6ace
-
SHA1
5c349881da20c6ad25d7eabeaa41d1ae2d2ad8f2
-
SHA256
af67708e9be6571551147ff1840a555cadd1ea0150a91001e00904a8cc7881b6
-
SHA512
996fb4ec5a81648a2e5b706d95185b0ae73c65744a146e70bf06db076882474fc677a9095430ecbda108cbc6357ae3de4a1407eafd3a7a9e915f11476eaa0c20
-
SSDEEP
1536:ZrPJVKjbcknWSOYvTfkWkFM79yQVo5hWyZM+c:ZLJMjbcHDdMwQKDW7
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2920-0-0x0000000140000000-0x0000000140028000-memory.dmp upx behavioral1/memory/2920-18-0x0000000140000000-0x0000000140028000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2952 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2952 cmd.exe 2952 cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2952 2920 XenarWare.exe 29 PID 2920 wrote to memory of 2952 2920 XenarWare.exe 29 PID 2920 wrote to memory of 2952 2920 XenarWare.exe 29 PID 2952 wrote to memory of 2600 2952 cmd.exe 30 PID 2952 wrote to memory of 2600 2952 cmd.exe 30 PID 2952 wrote to memory of 2600 2952 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\XenarWare.exe"C:\Users\Admin\AppData\Local\Temp\XenarWare.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3DBC.tmp\3DBD.tmp\3DBE.bat C:\Users\Admin\AppData\Local\Temp\XenarWare.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2600
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD551737caef60bc780cc1493e2a402ecfa
SHA126939c4fcc49b780ad4ef1023e8b12714417d0d5
SHA25683897f7fd4fcf3800460c570c15546f40dd62ce6d4859c6cb60573c2e9afb1de
SHA5120191edf228646a36dbda406000f717056c3b0227a9c233906b99b378a3ee09173caa3f2a68ced100028ae07e8931868d44368e5d77f24cd7dee9a73f6dedd6a5