Overview

overview

10

Static

static

10

123.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    138s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-05-2024 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123.exe

  • Size

    45KB

  • MD5

    fd3fa42906bc5b6a8c5e797431d3e9f1

  • SHA1

    8f21e90966b9682640ae12d89b7485f18fc960c5

  • SHA256

    8a9c7963d74a81dbbdd82f50e0ef9014777474c9ff55bc26bbf64681bb571cfb

  • SHA512

    b04e17457c28d791717751626f3e88872fc4c4792e6da90d8e008817afc6c3b7ef8bd2afc09ecd0c951d74f8d2922d1eaa190ae3c3d166dd6cf93338c70947a1

  • SSDEEP

    768:BdhO/poiiUcjlJInLr6BH9Xqk5nWEZ5SbTDaUuI7CPW5Q:/w+jjgncH9XqcnW85SbThuI4

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

7.tcp.eu.ngrok.io

Mutex

radnom123_34X41

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    10543

  • startup_name

    window system

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\123.exe
    "C:\Users\Admin\AppData\Local\Temp\123.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Roaming\XenoManager\123.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\123.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "window system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7762.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:2864
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /query /v /fo csv
        3⤵
          PID:3052
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /delete /tn "\window system" /f
          3⤵
            PID:1260
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\123.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Windows\SysWOW64\choice.exe
              choice /C Y /N /D Y /T 3
              4⤵
                PID:3812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\123.exe.log
          Filesize

          226B

          MD5

          957779c42144282d8cd83192b8fbc7cf

          SHA1

          de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

          SHA256

          0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

          SHA512

          f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp7762.tmp
          Filesize

          1KB

          MD5

          74d4a60bb87373dae68e73729ecad74e

          SHA1

          7bbe087ed0d44ab8f1f084bb6fbc715989872698

          SHA256

          761cb3030ad78449fb0d6bac90141472a2ece57a2290f53cc4b146fe79b98f95

          SHA512

          f283adb42ace934691dbed115ca6adf88e1550b3b07e798409e73c72031d245a64d5879d6259a424daeedeea26a5a3583377e9c677d42c488b0ab6f879b8e08d

          Download Submit
        • C:\Users\Admin\AppData\Roaming\XenoManager\123.exe
          Filesize

          45KB

          MD5

          fd3fa42906bc5b6a8c5e797431d3e9f1

          SHA1

          8f21e90966b9682640ae12d89b7485f18fc960c5

          SHA256

          8a9c7963d74a81dbbdd82f50e0ef9014777474c9ff55bc26bbf64681bb571cfb

          SHA512

          b04e17457c28d791717751626f3e88872fc4c4792e6da90d8e008817afc6c3b7ef8bd2afc09ecd0c951d74f8d2922d1eaa190ae3c3d166dd6cf93338c70947a1

          Download Submit
        • memory/32-9-0x0000000073FA0000-0x000000007468E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/32-12-0x0000000006100000-0x0000000006166000-memory.dmp
          Filesize

          408KB

          Download
        • memory/32-13-0x0000000073FA0000-0x000000007468E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/32-14-0x0000000073FA0000-0x000000007468E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/32-15-0x0000000073FA0000-0x000000007468E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/512-0-0x0000000073FAE000-0x0000000073FAF000-memory.dmp
          Filesize

          4KB

          Download
        • memory/512-1-0x0000000000D10000-0x0000000000D22000-memory.dmp
          Filesize

          72KB

          Download