Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
21-04-2024 19:34
General
-
Target
http://gofile.io/d/lkglpw
Malware Config
Extracted
xenorat
127.0.0.1
bypass
-
delay
5000
-
install_path
nothingset
-
port
4444
-
startup_name
nothingset
Signatures
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://gofile.io/d/lkglpw1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd718c46f8,0x7ffd718c4708,0x7ffd718c47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5648 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5704 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,11360312349512818863,5619815215461989411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\driverload.exe"C:\Users\Admin\Downloads\driverload.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\driverload.exe"C:\Users\Admin\Downloads\driverload.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\driverload.exe"C:\Users\Admin\Downloads\driverload.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\driverload.exe"C:\Users\Admin\Downloads\driverload.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\driverload.exe"C:\Users\Admin\Downloads\driverload.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\driverload.exe"C:\Users\Admin\Downloads\driverload.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\driverload.exe"C:\Users\Admin\Downloads\driverload.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\driverload.exe"C:\Users\Admin\Downloads\driverload.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
152B
MD57b56675b54840d86d49bde5a1ff8af6a
SHA1fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811
SHA25686af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929
SHA51211fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9
-
Filesize
152B
MD548cff1baabb24706967de3b0d6869906
SHA1b0cd54f587cd4c88e60556347930cb76991e6734
SHA256f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775
SHA512fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6
-
Filesize
288B
MD5e46dbbb2908c1530b995e7ba1eda745b
SHA11cd4f553a04161f49b2472b65c2c7c26ef3ece2a
SHA2565adcfbdb42cf22c57d3453b8915258d46a91f6b18e2b781924f1ef20ec41ba5c
SHA512b355f5a64e7dbd94542225a0418c48abeaea50b69d8b679ede1cd7bf3ef935890fa270f6b0674b4844b83a1cdf13422b543e8726fa4f3a5bc20463369e46a7e1
-
Filesize
336B
MD5785914af1bc05a199ea62bc55e746da8
SHA1b2f6a55758b3b0323bc122a3539c9ae447aafe82
SHA256bfb187afcf7fc939d7fc5ec558879330453241e97f3cdc1ac3f0bd7b5f2d8597
SHA512e9ab2a2cea787e6ccac97454251c23ef791a2720490a559db24f1fb2b89719633a37bdf641c567e70c4943bf7ae331a3cd1ac42b7823773c6b29df434e2385f1
-
Filesize
317B
MD5f7882637afc8b3a8573ee92354ac52fd
SHA157f51eab9658e1b2125ceb9f2542b238638210ca
SHA256f283cbe13d4f8e24cbcab3dd49e62a50d45ca40080cccdb55d2b7e0ec2d90ae9
SHA51225dc3f0569e9e4e01d11b8362e068f19590b4f81dfec23c89beba2edca96436a150d31f4c747622ff9484939ad98bb2e7a0b3553fe7388f49b0d3fb24c4a6baa
-
Filesize
6KB
MD5f91a902588dd207b753445b96eba02dd
SHA163f073d496f40141dd87bf850e855957a396faf8
SHA2568b6387e6b6cea0682f47e03a4f509004e6c94b3a66e48333873baf7bcd03fc8f
SHA512e5b9ffeb357e8cf2daa11342c8811e0ff3644076f248db909056f65190d8aea2138995b1e4789774196aad250cae62c12d358e5ba37a099592d38daa27e6e013
-
Filesize
6KB
MD55713d6dcdf045d16fdce14afe9bdcfcf
SHA13a46cab79adf5fae9826384b5793043ebcbb554c
SHA2569425363c0062820a614329f22ea4208e4fb6b85c75dfe0a2dbf52905bd41ef90
SHA5124da3450d7041bfe3fe2e53b04f5f7276f741d1cea10e9b53b024d89bcacca75bfd17f1547af28855859ca88b51d5132965c6837456866f675529922914bcc4f8
-
Filesize
6KB
MD51e137f61a4f61361c9407a44479a2565
SHA1cd69bb07fd6456aa12c6701269e810e0123898ab
SHA25636ade8d6ab9f9b1924676de4877e6ad9615936fe6eff214110b11737301b36a7
SHA51269e1f64cfb50f2222cff1c908983f8dd63bdf8531d538b8a37f5d20efa1056f59a86138a5abbb3653d1fe665d8ddb953dd44e72ea593c34d5b2f6c854b0500bb
-
Filesize
370B
MD50627dd655b1fd1e7c98ecbd92aac42b7
SHA18adabdfaad8d17b76b69e33a18df9c62d149b538
SHA2560fd394b0de47e2f936bc4a6a133fe522370b18b7feaa670f4bed19d8a72b2efc
SHA512011a3242a54713db574001866df5ce22d35a5ad5e5b659adc9dcc3bbbe9b9e527ab0657820814f572e7ffc7937ec8a619fc6d7f894bb006508c1abb9a1873c6e
-
Filesize
370B
MD5a68244ed7ca3d36d9477065a320fb400
SHA1e7aa889fa9cbadbe74b1dec76fad6bc961e4e982
SHA25690eb00368606e426e88c559b55a82f98559e7a6cb2b5a5b1071445a6732a51b8
SHA512aabe16c273fa953fe5656572b4f686d5e5cbb258beae8ca873ea35df2b72c397e9dc644b1cc462b3a95b50254090a82bd9728b3965d3904d472269b1a57e23df
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c91af48892be155f3a4f5c5db61d9685
SHA171672e22decc3b69b47cc6de8e24bac77f6c3bae
SHA2567ce10f2c349dd2393476ceb4095e688ea74e1fbe591c791d087abf24cfd48ad5
SHA5127467b1e39e94529908a0476c54f178e811697794c522f405b6abbb32ede464408712cd2002ea3ea37f325dfb4c26eeedc7db79c33a7aa435093fb2e6f8d0c866
-
Filesize
11KB
MD50b3ecd144efaca4a12a122caefb301d2
SHA100f60ae0473c2f69016f7b0b5bff1e233b5a5d16
SHA256c364abeccaad68f67d9a1fbc9597f2303eebefc0168336883540035f06a725a2
SHA51214eebe411f8e81b8024f4d0407372bbff57264cca6ad7d91cedf4d73b7bff083f174fc050ee6108b2e14fa01dfeb75f976cd04c23c2f7acf7e591e3bc2491f5d
-
Filesize
45KB
MD5bdec688b1e69cc82aee4a9e4033a62af
SHA132159419140b54455b90f8a0f095692906d81e6d
SHA256be1aeeccf8149d9a9feb1a2d4d860f75536397194ce440867bc686a454aa1e46
SHA51251fee0708fe97c8ac05d7e469bccecccb067813105e2ed214947c9353a9473c9a0c898a4fe84ac5fdb23c056110042c31435c59959df5d008d1f797d45192035
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB