Analysis
-
max time kernel
134s -
max time network
138s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
13-05-2024 18:53
General
-
Target
123.exe
-
Size
45KB
-
MD5
fd3fa42906bc5b6a8c5e797431d3e9f1
-
SHA1
8f21e90966b9682640ae12d89b7485f18fc960c5
-
SHA256
8a9c7963d74a81dbbdd82f50e0ef9014777474c9ff55bc26bbf64681bb571cfb
-
SHA512
b04e17457c28d791717751626f3e88872fc4c4792e6da90d8e008817afc6c3b7ef8bd2afc09ecd0c951d74f8d2922d1eaa190ae3c3d166dd6cf93338c70947a1
-
SSDEEP
768:BdhO/poiiUcjlJInLr6BH9Xqk5nWEZ5SbTDaUuI7CPW5Q:/w+jjgncH9XqcnW85SbThuI4
Malware Config
Extracted
xenorat
7.tcp.eu.ngrok.io
radnom123_34X41
-
delay
5000
-
install_path
appdata
-
port
10543
-
startup_name
window system
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 32 123.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 1 7.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2864 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe 32 123.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 32 123.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 512 wrote to memory of 32 512 123.exe 73 PID 512 wrote to memory of 32 512 123.exe 73 PID 512 wrote to memory of 32 512 123.exe 73 PID 32 wrote to memory of 2864 32 123.exe 74 PID 32 wrote to memory of 2864 32 123.exe 74 PID 32 wrote to memory of 2864 32 123.exe 74 PID 32 wrote to memory of 3052 32 123.exe 77 PID 32 wrote to memory of 3052 32 123.exe 77 PID 32 wrote to memory of 3052 32 123.exe 77 PID 32 wrote to memory of 1260 32 123.exe 79 PID 32 wrote to memory of 1260 32 123.exe 79 PID 32 wrote to memory of 1260 32 123.exe 79 PID 32 wrote to memory of 1456 32 123.exe 81 PID 32 wrote to memory of 1456 32 123.exe 81 PID 32 wrote to memory of 1456 32 123.exe 81 PID 1456 wrote to memory of 3812 1456 cmd.exe 83 PID 1456 wrote to memory of 3812 1456 cmd.exe 83 PID 1456 wrote to memory of 3812 1456 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Roaming\XenoManager\123.exe"C:\Users\Admin\AppData\Roaming\XenoManager\123.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "window system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7762.tmp" /F3⤵
- Creates scheduled task(s)
PID:2864
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query /v /fo csv3⤵PID:3052
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /tn "\window system" /f3⤵PID:1260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\123.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵PID:3812
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5957779c42144282d8cd83192b8fbc7cf
SHA1de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA2560d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd
-
Filesize
1KB
MD574d4a60bb87373dae68e73729ecad74e
SHA17bbe087ed0d44ab8f1f084bb6fbc715989872698
SHA256761cb3030ad78449fb0d6bac90141472a2ece57a2290f53cc4b146fe79b98f95
SHA512f283adb42ace934691dbed115ca6adf88e1550b3b07e798409e73c72031d245a64d5879d6259a424daeedeea26a5a3583377e9c677d42c488b0ab6f879b8e08d
-
Filesize
45KB
MD5fd3fa42906bc5b6a8c5e797431d3e9f1
SHA18f21e90966b9682640ae12d89b7485f18fc960c5
SHA2568a9c7963d74a81dbbdd82f50e0ef9014777474c9ff55bc26bbf64681bb571cfb
SHA512b04e17457c28d791717751626f3e88872fc4c4792e6da90d8e008817afc6c3b7ef8bd2afc09ecd0c951d74f8d2922d1eaa190ae3c3d166dd6cf93338c70947a1