Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
30-04-2024 23:28
General
-
Target
VapePatcher.exe
-
Size
45KB
-
MD5
3f8e6229e3e64f3f79a574391242c85f
-
SHA1
e359200322ca6b4ad8835e56cac72358443228e6
-
SHA256
a24ff59b0bce4cc63c4371d12ef6ac0f98b4aa9282a8ba5938c8829d2344fdde
-
SHA512
6137f27f961933866fc2a085f68b87b16c190ad5395cb22bd1883b0caa7816292cd3ad0e77866e42f387397a5bdad11e4f7dfe2f8c975d76668069f504ab7d6b
-
SSDEEP
768:1dhO/poiiUcjlJInRonH9Xqk5nWEZ5SbTDafWI7CPW5K:Lw+jjgnqnH9XqcnW85SbTWWIC
Malware Config
Extracted
xenorat
127.0.0.1
VapePatcher
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
Minecraft Launcher
Signatures
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 41 IoCs
-
Suspicious use of SendNotifyMessage 41 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VapePatcher.exe"C:\Users\Admin\AppData\Local\Temp\VapePatcher.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\VapePatcher.exe"C:\Users\Admin\AppData\Roaming\XenoManager\VapePatcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Minecraft Launcher" /XML "C:\Users\Admin\AppData\Local\Temp\tmp667A.tmp" /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD5b6d7c1932ef5b5ce39f2d75b7677a8cc
SHA1cc49062c579fc8a4feb4bc85ffa0b3ff3e688645
SHA256df63e3912c24aa12fc5dd44b3b97d691c4c2453fed057c1312c87e49b5aad5f6
SHA5129cae32953e51bee85db4d78759ba3f06781659ef11e36d83bc70689130bcafba7778194e404613937305c154b3826a8c12b0c4a18759de734387634f153e9d32
-
Filesize
45KB
MD53f8e6229e3e64f3f79a574391242c85f
SHA1e359200322ca6b4ad8835e56cac72358443228e6
SHA256a24ff59b0bce4cc63c4371d12ef6ac0f98b4aa9282a8ba5938c8829d2344fdde
SHA5126137f27f961933866fc2a085f68b87b16c190ad5395cb22bd1883b0caa7816292cd3ad0e77866e42f387397a5bdad11e4f7dfe2f8c975d76668069f504ab7d6b
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB