xenorat | dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
Size

243KB
MD5

4aad0d0ea510075b228330ca1f55d242
SHA1

c43b2fa5fc86a597d7f9d2139dce34d017028388
SHA256

dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38
SHA512

532e5b415efd115d490c4ba60c6753bd7904a00eb5767554ec1744b2ee453a7bc81dd407215764b0361b738b50b2b2605f2ff5924dc8cbda3bafd03ffa38fc4c
SSDEEP

6144:1OYJ+Mul9FCrE+9Gheadlky0fXiJ+VCDsaBEx3EyVW6c7XFI:1NcMmbCrE+Tqky0cmr3EyVW6c7O

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes

delay
61000
install_path
appdata
port
1283
startup_name
bns

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Detects executables packed with ConfuserEx Mod 3 IoCs

resource	yara_rule
behavioral2/memory/3128-1-0x00000000008B0000-0x00000000008F6000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/3128-4-0x0000000005390000-0x00000000053D0000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x0007000000023437-20.dat	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Executes dropped EXE 4 IoCs

pid	Process
4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
4104	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
1572	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
4048	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3128 set thread context of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 set thread context of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 set thread context of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 4664 set thread context of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 set thread context of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 set thread context of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4620	812	WerFault.exe	84
1656	3700	WerFault.exe	85
1112	4048	WerFault.exe	95

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
8	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
Token: SeDebugPrivilege	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 wrote to memory of 812	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	84
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 wrote to memory of 3700	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	85
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 3128 wrote to memory of 544	3128	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	87
PID 544 wrote to memory of 4664	544	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	91
PID 544 wrote to memory of 4664	544	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	91
PID 544 wrote to memory of 4664	544	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	91
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 wrote to memory of 4104	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	93
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 wrote to memory of 1572	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	94
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95
PID 4664 wrote to memory of 4048	4664	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	95
PID 4104 wrote to memory of 8	4104	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	110
PID 4104 wrote to memory of 8	4104	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	110
PID 4104 wrote to memory of 8	4104	dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe	110

C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
"C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
  C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
  2⤵
  PID:812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 80
    3⤵
    - Program crash
    PID:4620
- C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
  C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 80
    3⤵
    - Program crash
    PID:1656
- C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
  C:\Users\Admin\AppData\Local\Temp\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27E6.tmp" /F
        5⤵
        Creates scheduled task(s)
        
        PID:8
  - - C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
      4⤵
      Executes dropped EXE
      PID:1572
  - - C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe
      4⤵
      Executes dropped EXE
      PID:4048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 80
        5⤵
        Program crash
        
        PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 812 -ip 812
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3700 -ip 3700
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4048 -ip 4048
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27E6.tmp

Filesize
1KB

MD5
975fbdd54786c9fe86b489fe77d39811

SHA1
f71a93fe94675dc7204059ae6595838c21cb1aef

SHA256
05b6f79798671f7e98c407e1857e2e725edb6428dda8f0e38162e5758655a5c2

SHA512
29073c00192448a742519bd73fa00a700b23a0e954ac5b781516f7eb7048e5cd89461848bc6e7f1ac353a7b26abdb7cc12668a8f83e2797291ace6c7546b4d9b

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38.exe

Filesize
243KB

MD5
4aad0d0ea510075b228330ca1f55d242

SHA1
c43b2fa5fc86a597d7f9d2139dce34d017028388

SHA256
dfea9fa54974479b6fe5df79b11c5c7307bec32d81c38495778d4534408c7c38

SHA512
532e5b415efd115d490c4ba60c6753bd7904a00eb5767554ec1744b2ee453a7bc81dd407215764b0361b738b50b2b2605f2ff5924dc8cbda3bafd03ffa38fc4c

Download Submit
memory/544-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/544-27-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/544-15-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-8-0x0000000005230000-0x0000000005236000-memory.dmp

Filesize
24KB

Download
memory/3128-7-0x0000000006680000-0x0000000006712000-memory.dmp

Filesize
584KB

Download
memory/3128-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3128-6-0x0000000006C30000-0x00000000071D4000-memory.dmp

Filesize
5.6MB

Download
memory/3128-5-0x00000000065E0000-0x000000000667C000-memory.dmp

Filesize
624KB

Download
memory/3128-4-0x0000000005390000-0x00000000053D0000-memory.dmp

Filesize
256KB

Download
memory/3128-16-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-3-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/3128-2-0x00000000012C0000-0x00000000012C6000-memory.dmp

Filesize
24KB

Download
memory/3128-1-0x00000000008B0000-0x00000000008F6000-memory.dmp

Filesize
280KB

Download
memory/4664-28-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4664-29-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4664-36-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads