Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Odeme -(Mayis).exe

windows7-x64

10

Odeme -(Mayis).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14/05/2024, 07:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Odeme -(Mayis).exe

  • Size

    242KB

  • MD5

    e3194e68bfa1155b7a5d0e895f9eccf1

  • SHA1

    99de13f1eae283988d21f9f07a2646efaf55bc6e

  • SHA256

    ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8

  • SHA512

    8e49b770e629983cc375899a91fb6f9981a0bc60f07a76446a933be44886e124b54864535c6050dc8792d558d636ca0ce52649786af74b88b593e61d3daf97b0

  • SSDEEP

    6144:vUFRBdL5W/ldm/mGniJA07X7lBL/EMx4RpFLhBvuX/PFj0SP26Lzj2Y8qG+hBs7N:QvnW/4mGZ0rhd/ERRHzGPPNj2Y8qG+hI

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1283

  • startup_name

    bns

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Odeme -(Mayis).exe
    "C:\Users\Admin\AppData\Local\Temp\Odeme -(Mayis).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\Odeme -(Mayis).exe
      "C:\Users\Admin\AppData\Local\Temp\Odeme -(Mayis).exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe"
          4⤵
          • Executes dropped EXE
          PID:2544
        • C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe"
          4⤵
          • Executes dropped EXE
          PID:2364
        • C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe"
          4⤵
          • Executes dropped EXE
          PID:2964
    • C:\Users\Admin\AppData\Local\Temp\Odeme -(Mayis).exe
      "C:\Users\Admin\AppData\Local\Temp\Odeme -(Mayis).exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10A4.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:2952
    • C:\Users\Admin\AppData\Local\Temp\Odeme -(Mayis).exe
      "C:\Users\Admin\AppData\Local\Temp\Odeme -(Mayis).exe"
      2⤵
        PID:2684

    Network

    • flag-us
      DNS
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      Remote address:
      8.8.8.8:53
      Request
      dns.dobiamfollollc.online
      IN A
      Response
      dns.dobiamfollollc.online
      IN A
      91.92.243.131
    • 91.92.243.131:1283
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      152 B
       120 B
       3
      3
    • 91.92.243.131:1283
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      152 B
       120 B
       3
      3
    • 91.92.243.131:1283
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      152 B
       120 B
       3
      3
    • 91.92.243.131:1283
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      152 B
       120 B
       3
      3
    • 91.92.243.131:1283
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      152 B
       120 B
       3
      3
    • 91.92.243.131:1283
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      152 B
       120 B
       3
      3
    • 91.92.243.131:1283
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      152 B
       120 B
       3
      3
    • 91.92.243.131:1283
      dns.dobiamfollollc.online
      Odeme -(Mayis).exe
      152 B
       120 B
       3
      3
    • 8.8.8.8:53
      dns.dobiamfollollc.online
      dns
      Odeme -(Mayis).exe
      71 B
       87 B
       1
      1

      DNS Request

      dns.dobiamfollollc.online

      DNS Response

      91.92.243.131

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp10A4.tmp
      Filesize

      1KB

      MD5

      02433fd1299caf71876f97c6dabc3a2d

      SHA1

      28a96cd21bf4adcdb86fb05812f0857c48d670bc

      SHA256

      e50a64e41089100ad95c1ee13df72dbce79bb535ed05706de742d216cdc8d4d1

      SHA512

      396bd823f5a811008b525538b2b54fba3af12707e77df7ce765fa73a00e3631469d04612b593165660facc0a1157220082927d7d0b3805edf80ac8dffe0d0316

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XenoManager\Odeme -(Mayis).exe
      Filesize

      242KB

      MD5

      e3194e68bfa1155b7a5d0e895f9eccf1

      SHA1

      99de13f1eae283988d21f9f07a2646efaf55bc6e

      SHA256

      ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8

      SHA512

      8e49b770e629983cc375899a91fb6f9981a0bc60f07a76446a933be44886e124b54864535c6050dc8792d558d636ca0ce52649786af74b88b593e61d3daf97b0

      Download Submit

    • memory/2268-32-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2268-8-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2268-19-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2268-12-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2268-6-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2588-46-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2588-25-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2588-49-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2588-50-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2716-33-0x00000000003A0000-0x00000000003E6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3008-5-0x00000000003A0000-0x00000000003A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3008-4-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3008-2-0x0000000000270000-0x0000000000276000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3008-0-0x00000000740FE000-0x00000000740FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3008-30-0x00000000740F0000-0x00000000747DE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3008-3-0x0000000000640000-0x0000000000680000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3008-1-0x0000000000920000-0x0000000000966000-memory.dmp

      Filesize

      280KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.