xenorat | 1ad07ccab43270cd5edc95e993836fa170e29f1b3406c9b69b3667cad7a1e753

Analysis

max time kernel
99s
max time network
109s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

corruptedmodz cheat.exe
Size

45KB
MD5

d46727b08dc65590b4bf19822d69de8a
SHA1

baf05760cc92a7fb4d09c5feff975a0581c23b6f
SHA256

1ad07ccab43270cd5edc95e993836fa170e29f1b3406c9b69b3667cad7a1e753
SHA512

068573c0d670753b14bf3cfd81a5c6e291991a5e9834db20f55d9d2b67b70c8a3db532b7e08b551605f0d76144a1b5ea0d6be94e66652449ff383315a8c6c131
SSDEEP

768:xdhO/poiiUcjlJIn0QH9Xqk5nWEZ5SbTDa/WI7CPW5v:vw+jjgnNH9XqcnW85SbTGWI3

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

thought-rolls.gl.at.ply.gg

Mutex

23y7-bdgd-2cb

Attributes

delay
3000
install_path
appdata
port
45999
startup_name
runtimebroker

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

corruptedmodz cheat.exe

pid process

2112 corruptedmodz cheat.exe
Loads dropped DLL 1 IoCs

Processes:

corruptedmodz cheat.exe

pid process

2116 corruptedmodz cheat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2728 schtasks.exe

pid	process
2112	corruptedmodz cheat.exe

pid	process
2116	corruptedmodz cheat.exe

pid	process
2728	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

corruptedmodz cheat.execorruptedmodz cheat.exe

description	pid	process	target process
PID 2116 wrote to memory of 2112	2116	corruptedmodz cheat.exe	corruptedmodz cheat.exe
PID 2116 wrote to memory of 2112	2116	corruptedmodz cheat.exe	corruptedmodz cheat.exe
PID 2116 wrote to memory of 2112	2116	corruptedmodz cheat.exe	corruptedmodz cheat.exe
PID 2116 wrote to memory of 2112	2116	corruptedmodz cheat.exe	corruptedmodz cheat.exe
PID 2112 wrote to memory of 2728	2112	corruptedmodz cheat.exe	schtasks.exe
PID 2112 wrote to memory of 2728	2112	corruptedmodz cheat.exe	schtasks.exe
PID 2112 wrote to memory of 2728	2112	corruptedmodz cheat.exe	schtasks.exe
PID 2112 wrote to memory of 2728	2112	corruptedmodz cheat.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\corruptedmodz cheat.exe
"C:\Users\Admin\AppData\Local\Temp\corruptedmodz cheat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Roaming\XenoManager\corruptedmodz cheat.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\corruptedmodz cheat.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "runtimebroker" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3350.tmp" /F
3⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3350.tmp
Filesize
1KB

MD5
5ea794b6500013fd6697dd41233b46b5

SHA1
b619c60b383aebcadba55d11572a80656f781318

SHA256
b51305cbb1a160e98a1f9274fc273c535cf57cda2e77fffe2f2254f9a19d179f

SHA512
576e164275dd5b92e9463e3f168f5c0f3c6a91797233ff0557d6ee547b4b0da688ffc2b95a29a8e84de1c038724a68016fc82f1fe4c834e1ec7105684c3b6412

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\corruptedmodz cheat.exe
Filesize
45KB

MD5
d46727b08dc65590b4bf19822d69de8a

SHA1
baf05760cc92a7fb4d09c5feff975a0581c23b6f

SHA256
1ad07ccab43270cd5edc95e993836fa170e29f1b3406c9b69b3667cad7a1e753

SHA512
068573c0d670753b14bf3cfd81a5c6e291991a5e9834db20f55d9d2b67b70c8a3db532b7e08b551605f0d76144a1b5ea0d6be94e66652449ff383315a8c6c131

Download Submit
memory/2112-9-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/2112-10-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-13-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-14-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-15-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/2116-1-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download