Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 02:34
Static task
static1
Behavioral task
behavioral1
Sample
9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe
Resource
win7-20231129-en
General
-
Target
9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe
-
Size
242KB
-
MD5
88569a0094dafd1c5d804534cc6afde4
-
SHA1
ccf747db107b4e3a6aae1fb202b2aed36eba8bf4
-
SHA256
9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d
-
SHA512
73901b82c35d86cd547dcd7f378d914dcbdfe67b5d8691527e77dfcf9c42fc0b384e6ec527555a98de7e397904923b95ae0d5a48737f6570e6d77bf82baf4352
-
SSDEEP
6144:yEbA05j2yCleJJ2qnqnCQlTDSxL1wy1r41XaulCQGZMlIvBIEPYr+A29F4I:yEbA05jKmJ2qwkL1N1CnlnlIvBIEPYrU
Malware Config
Extracted
xenorat
dns.requimacofradian.site
Xeno_rat_nd8818g
-
delay
60000
-
install_path
appdata
-
port
1243
-
startup_name
uic
Signatures
-
Detects executables packed with ConfuserEx Mod 3 IoCs
resource yara_rule behavioral2/memory/3004-1-0x0000000000630000-0x0000000000676000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral2/memory/3004-3-0x000000000DA30000-0x000000000DA70000-memory.dmp INDICATOR_EXE_Packed_ConfuserEx behavioral2/files/0x0007000000023438-22.dat INDICATOR_EXE_Packed_ConfuserEx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe -
Executes dropped EXE 4 IoCs
pid Process 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 1500 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 4524 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 4272 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3004 set thread context of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 set thread context of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 set thread context of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 1752 set thread context of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 set thread context of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 set thread context of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3184 4128 WerFault.exe 87 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2212 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe Token: SeDebugPrivilege 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 wrote to memory of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 wrote to memory of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 wrote to memory of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 wrote to memory of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 wrote to memory of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 wrote to memory of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 wrote to memory of 1172 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 86 PID 3004 wrote to memory of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 wrote to memory of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 wrote to memory of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 wrote to memory of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 wrote to memory of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 wrote to memory of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 wrote to memory of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 wrote to memory of 4128 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 87 PID 3004 wrote to memory of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 3004 wrote to memory of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 3004 wrote to memory of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 3004 wrote to memory of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 3004 wrote to memory of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 3004 wrote to memory of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 3004 wrote to memory of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 3004 wrote to memory of 4156 3004 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 88 PID 1172 wrote to memory of 1752 1172 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 91 PID 1172 wrote to memory of 1752 1172 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 91 PID 1172 wrote to memory of 1752 1172 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 91 PID 1752 wrote to memory of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 wrote to memory of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 wrote to memory of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 wrote to memory of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 wrote to memory of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 wrote to memory of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 wrote to memory of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 wrote to memory of 1500 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 93 PID 1752 wrote to memory of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 wrote to memory of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 wrote to memory of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 wrote to memory of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 wrote to memory of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 wrote to memory of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 wrote to memory of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 wrote to memory of 4524 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 94 PID 1752 wrote to memory of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 PID 1752 wrote to memory of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 PID 1752 wrote to memory of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 PID 1752 wrote to memory of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 PID 1752 wrote to memory of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 PID 1752 wrote to memory of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 PID 1752 wrote to memory of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 PID 1752 wrote to memory of 4272 1752 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 95 PID 4156 wrote to memory of 2212 4156 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 108 PID 4156 wrote to memory of 2212 4156 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 108 PID 4156 wrote to memory of 2212 4156 9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe"C:\Users\Admin\AppData\Local\Temp\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exeC:\Users\Admin\AppData\Local\Temp\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe"C:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exeC:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe4⤵
- Executes dropped EXE
PID:1500
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exeC:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe4⤵
- Executes dropped EXE
PID:4524
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exeC:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe4⤵
- Executes dropped EXE
PID:4272
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exeC:\Users\Admin\AppData\Local\Temp\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe2⤵PID:4128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 803⤵
- Program crash
PID:3184
-
-
-
C:\Users\Admin\AppData\Local\Temp\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exeC:\Users\Admin\AppData\Local\Temp\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "uic" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1BE0.tmp" /F3⤵
- Creates scheduled task(s)
PID:2212
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4128 -ip 41281⤵PID:384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe.log
Filesize706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
1KB
MD5720de0477b5db121434eae6e4fd59db9
SHA11600d9be53aa75e06d161fe3b77fb5ca8d233dc1
SHA2566f8cde970e52cc31789d75112a174b48d5c52fdfebd74cb787efef41550e9017
SHA51238b1f7e363185dc81e5554421f4ac48efef22c57c0701a93f8e0b3b53ef75bb5a0145e30c34f86e8b4a61c14d74b2398f44c97045820bdb5b1c6c514cb0e6432
-
C:\Users\Admin\AppData\Roaming\XenoManager\9c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d.exe
Filesize242KB
MD588569a0094dafd1c5d804534cc6afde4
SHA1ccf747db107b4e3a6aae1fb202b2aed36eba8bf4
SHA2569c5864e5d700ac53ebd61bd2494d93f9b43e5f74275a7204ff6d04adabcc397d
SHA51273901b82c35d86cd547dcd7f378d914dcbdfe67b5d8691527e77dfcf9c42fc0b384e6ec527555a98de7e397904923b95ae0d5a48737f6570e6d77bf82baf4352