Analysis
-
max time kernel
117s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 18:36
Behavioral task
behavioral1
Sample
neverlosecrack laucher.exe
Resource
win7-20240508-en
General
-
Target
neverlosecrack laucher.exe
-
Size
45KB
-
MD5
4a0a8d2a6a0c3a9b727296563cb71690
-
SHA1
b764251a6d82e236c5f652b8a43e5c86c89b8985
-
SHA256
c6869ec4d346b01fb2a17166558038d66840cbe7a4e4a26a2e9a6d29225e699d
-
SHA512
67b68497b3206376a0d364400bfe065fd13f834aced15645afc4315a9097a3e03784eab746a37e11ea4c61f7174998ddb85461d7544b1df350cc12c0def872cc
-
SSDEEP
768:BdhO/poiiUcjlJInJr6BH9Xqk5nWEZ5SbTDaTuI7CPW5Q:/w+jjgniH9XqcnW85SbT2uI4
Malware Config
Extracted
xenorat
0.tcp.eu.ngrok.io
radnom123_34X41
-
delay
5000
-
install_path
appdata
-
port
14119
-
startup_name
window system
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
neverlosecrack laucher.exepid process 2344 neverlosecrack laucher.exe -
Loads dropped DLL 1 IoCs
Processes:
neverlosecrack laucher.exepid process 1640 neverlosecrack laucher.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
neverlosecrack laucher.exeneverlosecrack laucher.exedescription pid process target process PID 1640 wrote to memory of 2344 1640 neverlosecrack laucher.exe neverlosecrack laucher.exe PID 1640 wrote to memory of 2344 1640 neverlosecrack laucher.exe neverlosecrack laucher.exe PID 1640 wrote to memory of 2344 1640 neverlosecrack laucher.exe neverlosecrack laucher.exe PID 1640 wrote to memory of 2344 1640 neverlosecrack laucher.exe neverlosecrack laucher.exe PID 2344 wrote to memory of 2740 2344 neverlosecrack laucher.exe schtasks.exe PID 2344 wrote to memory of 2740 2344 neverlosecrack laucher.exe schtasks.exe PID 2344 wrote to memory of 2740 2344 neverlosecrack laucher.exe schtasks.exe PID 2344 wrote to memory of 2740 2344 neverlosecrack laucher.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\neverlosecrack laucher.exe"C:\Users\Admin\AppData\Local\Temp\neverlosecrack laucher.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Roaming\XenoManager\neverlosecrack laucher.exe"C:\Users\Admin\AppData\Roaming\XenoManager\neverlosecrack laucher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "window system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F89.tmp" /F3⤵
- Creates scheduled task(s)
PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2F89.tmpFilesize
1KB
MD5b6493093b4e385f2a9e780d79411f6f7
SHA1508a0b81481e34fd23ee8e1f89ec0cf4aae56952
SHA256716416e566645db22a6d4427a2d7d6f735fe298d464e37697589e062564b97c0
SHA512e53992f924305655ee9ccf2283fb5981348c4093fd7fac21bfc877bf7f005cda8875ad9fc7e903e28d971df96a6ec09a540d2f502b6312dbe601d70b7ff0e097
-
\Users\Admin\AppData\Roaming\XenoManager\neverlosecrack laucher.exeFilesize
45KB
MD54a0a8d2a6a0c3a9b727296563cb71690
SHA1b764251a6d82e236c5f652b8a43e5c86c89b8985
SHA256c6869ec4d346b01fb2a17166558038d66840cbe7a4e4a26a2e9a6d29225e699d
SHA51267b68497b3206376a0d364400bfe065fd13f834aced15645afc4315a9097a3e03784eab746a37e11ea4c61f7174998ddb85461d7544b1df350cc12c0def872cc
-
memory/1640-0-0x000000007491E000-0x000000007491F000-memory.dmpFilesize
4KB
-
memory/1640-1-0x0000000000B40000-0x0000000000B52000-memory.dmpFilesize
72KB
-
memory/2344-9-0x0000000000E50000-0x0000000000E62000-memory.dmpFilesize
72KB
-
memory/2344-10-0x0000000074910000-0x0000000074FFE000-memory.dmpFilesize
6.9MB
-
memory/2344-13-0x0000000074910000-0x0000000074FFE000-memory.dmpFilesize
6.9MB
-
memory/2344-14-0x0000000074910000-0x0000000074FFE000-memory.dmpFilesize
6.9MB
-
memory/2344-15-0x0000000074910000-0x0000000074FFE000-memory.dmpFilesize
6.9MB