Analysis

  • max time kernel
    131s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 03:19 UTC

General

  • Target

    XenarWare.exe

  • Size

    59KB

  • MD5

    88f95b4a2d5af8ee7893a11abecb6ace

  • SHA1

    5c349881da20c6ad25d7eabeaa41d1ae2d2ad8f2

  • SHA256

    af67708e9be6571551147ff1840a555cadd1ea0150a91001e00904a8cc7881b6

  • SHA512

    996fb4ec5a81648a2e5b706d95185b0ae73c65744a146e70bf06db076882474fc677a9095430ecbda108cbc6357ae3de4a1407eafd3a7a9e915f11476eaa0c20

  • SSDEEP

    1536:ZrPJVKjbcknWSOYvTfkWkFM79yQVo5hWyZM+c:ZLJMjbcHDdMwQKDW7

Score
7/10
upx

Malware Config

Signatures

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XenarWare.exe
    "C:\Users\Admin\AppData\Local\Temp\XenarWare.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3DBC.tmp\3DBD.tmp\3DBE.bat C:\Users\Admin\AppData\Local\Temp\XenarWare.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3DBC.tmp\3DBD.tmp\3DBE.bat

      Filesize

      2KB

      MD5

      51737caef60bc780cc1493e2a402ecfa

      SHA1

      26939c4fcc49b780ad4ef1023e8b12714417d0d5

      SHA256

      83897f7fd4fcf3800460c570c15546f40dd62ce6d4859c6cb60573c2e9afb1de

      SHA512

      0191edf228646a36dbda406000f717056c3b0227a9c233906b99b378a3ee09173caa3f2a68ced100028ae07e8931868d44368e5d77f24cd7dee9a73f6dedd6a5

    • memory/2920-0-0x0000000140000000-0x0000000140028000-memory.dmp

      Filesize

      160KB

    • memory/2920-18-0x0000000140000000-0x0000000140028000-memory.dmp

      Filesize

      160KB

    • memory/2952-13-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    • memory/2952-19-0x00000000020D0000-0x00000000020D1000-memory.dmp

      Filesize

      4KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.