Overview

overview

10

Static

static

10

chat.exe

windows7-x64

chat.exe

windows10-2004-x64

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 15:43

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    chat.exe

  • Size

    45KB

  • MD5

    87639df87df52ab646411f86c2fce0c3

  • SHA1

    6d6d21dd0af987380edc0b4fafebfc6d3e5d9a1c

  • SHA256

    9c8bf9ebe2a4086492d67929fd36c4918e7d9069d67d3aa43faf24e25cb6bfe0

  • SHA512

    39dacf01b97b0189644533dd545594d8daa755ea6d9cd1a2b61fa4dead15e6a088edf969c1487683fb35a623ac4e22ab0ecbb72bad4e5a9e770c6f0fc986e578

  • SSDEEP

    768:BdhO/poiiUcjlJInwr6BH9Xqk5nWEZ5SbTDaTuI7CPW5Q:/w+jjgndH9XqcnW85SbT2uI4

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

0.tcp.eu.ngrok.io

Mutex

radnom123_34X41

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    15597

  • startup_name

    window system

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\chat.exe
    "C:\Users\Admin\AppData\Local\Temp\chat.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Roaming\XenoManager\chat.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\chat.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "window system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B54.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:2644
      • C:\Windows\SysWOW64\shutdown.exe
        "C:\Windows\System32\shutdown.exe" /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x500
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1212
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2036
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:804

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp2B54.tmp
        Filesize

        1KB

        MD5

        b6a77db7c8b31f65bb26c9e724d7fa68

        SHA1

        d0f030fb9977352ff658d4b562c474b3126d6e41

        SHA256

        d4aed55472970da1681ce6ae1ddb9a64ca6369e5aa2dee4a568f7ae78264e182

        SHA512

        cdffa7d32d7b9d4c6d264d2d853d6b5e12718071d1323d24be03f0ea76e18c29e7691514c07a737071d101cbb774837efaf5da1c735bf3062d5f1bbab41e0bd6

        Download Submit
      • \Users\Admin\AppData\Roaming\XenoManager\chat.exe
        Filesize

        45KB

        MD5

        87639df87df52ab646411f86c2fce0c3

        SHA1

        6d6d21dd0af987380edc0b4fafebfc6d3e5d9a1c

        SHA256

        9c8bf9ebe2a4086492d67929fd36c4918e7d9069d67d3aa43faf24e25cb6bfe0

        SHA512

        39dacf01b97b0189644533dd545594d8daa755ea6d9cd1a2b61fa4dead15e6a088edf969c1487683fb35a623ac4e22ab0ecbb72bad4e5a9e770c6f0fc986e578

        Download Submit
      • memory/1872-1-0x0000000000D20000-0x0000000000D32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1872-0-0x000000007423E000-0x000000007423F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2180-13-0x0000000073B40000-0x000000007422E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2180-10-0x0000000001180000-0x0000000001192000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2180-9-0x0000000073B4E000-0x0000000073B4F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2180-14-0x0000000073B4E000-0x0000000073B4F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2180-15-0x0000000073B40000-0x000000007422E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2180-16-0x0000000000A80000-0x0000000000A8A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2180-17-0x0000000005150000-0x00000000051D2000-memory.dmp
        Filesize

        520KB

        Download
      • memory/2180-18-0x0000000000B70000-0x0000000000B78000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2180-19-0x0000000073B40000-0x000000007422E000-memory.dmp
        Filesize

        6.9MB

        Download