xenorat | 66621a34a0482c2cd3d90ac3b702c5dd9bbef332927e2f5f2d374a2f80a151f5

General

Target

corruptedmodz_rat.rar
Size

19KB
MD5

682dd444e32d545fde8aac4ef34cb851
SHA1

71326c2cfa046b736e1f56dd6c9a110e63079c69
SHA256

66621a34a0482c2cd3d90ac3b702c5dd9bbef332927e2f5f2d374a2f80a151f5
SHA512

dea532aaeaae71617730babc6bf865da2cb7162059e1dae6bd4d70dcd7e40d994be5b3c49a018325ed742f35ed63fc316680880fc0606c2a713e981068ea0c79
SSDEEP

384:KEoI1DrzguMDOvweY4Yo0uBI1J6XYwjyozVfeB14FuJJY:K8muMDAY4Yo5IDhwjyQVmfJY

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

thought-rolls.gl.at.ply.gg

Mutex

23y7-bdgd-2cb

Attributes

delay
3000
install_path
appdata
port
45999
startup_name
runtimebroker

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	corruptedmodz rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
2268	corruptedmodz rat.exe
5000	corruptedmodz rat.exe
1500	corruptedmodz rat.exe
4508	corruptedmodz rat.exe
1536	corruptedmodz rat.exe
2080	corruptedmodz rat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2516	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2488	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2488	7zFM.exe
Token: 35	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2488	3520	cmd.exe	93
PID 3520 wrote to memory of 2488	3520	cmd.exe	93
PID 2488 wrote to memory of 2268	2488	7zFM.exe	96
PID 2488 wrote to memory of 2268	2488	7zFM.exe	96
PID 2488 wrote to memory of 2268	2488	7zFM.exe	96
PID 2488 wrote to memory of 5000	2488	7zFM.exe	102
PID 2488 wrote to memory of 5000	2488	7zFM.exe	102
PID 2488 wrote to memory of 5000	2488	7zFM.exe	102
PID 5000 wrote to memory of 2516	5000	corruptedmodz rat.exe	107
PID 5000 wrote to memory of 2516	5000	corruptedmodz rat.exe	107
PID 5000 wrote to memory of 2516	5000	corruptedmodz rat.exe	107
PID 2268 wrote to memory of 1500	2268	corruptedmodz rat.exe	109
PID 2268 wrote to memory of 1500	2268	corruptedmodz rat.exe	109
PID 2268 wrote to memory of 1500	2268	corruptedmodz rat.exe	109
PID 2488 wrote to memory of 4508	2488	7zFM.exe	110
PID 2488 wrote to memory of 4508	2488	7zFM.exe	110
PID 2488 wrote to memory of 4508	2488	7zFM.exe	110
PID 2488 wrote to memory of 1536	2488	7zFM.exe	111
PID 2488 wrote to memory of 1536	2488	7zFM.exe	111
PID 2488 wrote to memory of 1536	2488	7zFM.exe	111
PID 2488 wrote to memory of 2080	2488	7zFM.exe	112
PID 2488 wrote to memory of 2080	2488	7zFM.exe	112
PID 2488 wrote to memory of 2080	2488	7zFM.exe	112

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\corruptedmodz_rat.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\corruptedmodz_rat.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\7zO8B980A18\corruptedmodz rat.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8B980A18\corruptedmodz rat.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Roaming\XenoManager\corruptedmodz rat.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\corruptedmodz rat.exe"
      4⤵
      Executes dropped EXE
      PID:1500
- - C:\Users\Admin\AppData\Local\Temp\7zO8B985748\corruptedmodz rat.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8B985748\corruptedmodz rat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "runtimebroker" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAB2.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:2516
- - C:\Users\Admin\AppData\Local\Temp\7zO8B9920E8\corruptedmodz rat.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8B9920E8\corruptedmodz rat.exe"
    3⤵
    - Executes dropped EXE
    PID:4508
- - C:\Users\Admin\AppData\Local\Temp\7zO8B9089C8\corruptedmodz rat.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8B9089C8\corruptedmodz rat.exe"
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\7zO8B9AB319\corruptedmodz rat.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8B9AB319\corruptedmodz rat.exe"
    3⤵
    - Executes dropped EXE
    PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\corruptedmodz rat.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8B980A18\corruptedmodz rat.exe

Filesize
45KB

MD5
d46727b08dc65590b4bf19822d69de8a

SHA1
baf05760cc92a7fb4d09c5feff975a0581c23b6f

SHA256
1ad07ccab43270cd5edc95e993836fa170e29f1b3406c9b69b3667cad7a1e753

SHA512
068573c0d670753b14bf3cfd81a5c6e291991a5e9834db20f55d9d2b67b70c8a3db532b7e08b551605f0d76144a1b5ea0d6be94e66652449ff383315a8c6c131

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAAB2.tmp

Filesize
1KB

MD5
1db70558eb40d4eb5efd1fa418916e67

SHA1
812db7a0bd3d4f99bc59626d5fe8eb6c2fb0681e

SHA256
209b51a143bd05df031b957ebe944ceaec7573c060c78fd235b141f1b315f256

SHA512
6a84cc252543ce32d09a379db07b500bc035f4a74d2874464ceeb5136304f3337b567cc479950b2a79e839be2a2d1d66aa020d342b445e59af1e3eac65b9ea3c

Download Submit
memory/5000-24-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads