Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 23:53
General
-
Target
htrh.exe
-
Size
45KB
-
MD5
1fd8b76998446e36a2608d9c58befe46
-
SHA1
6d2c6d5cb3ed6542cce48f09f1ad0c7ed0b242f6
-
SHA256
7a0d2fa38d41972ef26d4909f4079ea8f4ddaa06394caa4c06937cd933c175ea
-
SHA512
b0198d4c15726d4b196e7b5ca8b11c6546e21c5800179e1e089ffcc6f822e274bd2e1510f67a5dd230eb6dedaf715320f2c31b3101f76b574b2ece75ba5fd5aa
-
SSDEEP
768:3dhO/poiiUcjlJInionH9Xqk5nWEZ5SbTDafWI7CPW5D:tw+jjgnVnH9XqcnW85SbTWWI7
Malware Config
Extracted
Family
xenorat
C2
127.0.0.1
Mutex
VapePatcher
Attributes
-
delay
5000
-
install_path
appdata
-
port
9999
-
startup_name
Minecraft Launcher
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation htrh.exe -
Executes dropped EXE 1 IoCs
pid Process 1292 htrh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3680 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3680 taskmgr.exe Token: SeSystemProfilePrivilege 3680 taskmgr.exe Token: SeCreateGlobalPrivilege 3680 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe 3680 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2512 wrote to memory of 1292 2512 htrh.exe 95 PID 2512 wrote to memory of 1292 2512 htrh.exe 95 PID 2512 wrote to memory of 1292 2512 htrh.exe 95 PID 1292 wrote to memory of 3920 1292 htrh.exe 97 PID 1292 wrote to memory of 3920 1292 htrh.exe 97 PID 1292 wrote to memory of 3920 1292 htrh.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\htrh.exe"C:\Users\Admin\AppData\Local\Temp\htrh.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Roaming\XenoManager\htrh.exe"C:\Users\Admin\AppData\Roaming\XenoManager\htrh.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Minecraft Launcher" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1B5.tmp" /F3⤵
- Creates scheduled task(s)
PID:3920
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:81⤵PID:3480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5289d965a2c027c7e0d7956549f91984b
SHA11cce982ef3ea1084ef44ecb68ef744f57cf7196f
SHA25639d75a34dcaea3e935448a509f548fe8ebf83a7e33605275bd0755a484a95cbd
SHA51202de5e7be4c790fd9226dc3f2e5f9787acc9f310cc9e5dbdd57eb19cf7725bce612c7d4971ad33f0aba15a21a1d51bd0e96bf80a375e2f0b745b4b01b502fb50
-
Filesize
45KB
MD51fd8b76998446e36a2608d9c58befe46
SHA16d2c6d5cb3ed6542cce48f09f1ad0c7ed0b242f6
SHA2567a0d2fa38d41972ef26d4909f4079ea8f4ddaa06394caa4c06937cd933c175ea
SHA512b0198d4c15726d4b196e7b5ca8b11c6546e21c5800179e1e089ffcc6f822e274bd2e1510f67a5dd230eb6dedaf715320f2c31b3101f76b574b2ece75ba5fd5aa