xenorat | ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8

Analysis

max time kernel
148s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
Size

242KB
MD5

e3194e68bfa1155b7a5d0e895f9eccf1
SHA1

99de13f1eae283988d21f9f07a2646efaf55bc6e
SHA256

ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8
SHA512

8e49b770e629983cc375899a91fb6f9981a0bc60f07a76446a933be44886e124b54864535c6050dc8792d558d636ca0ce52649786af74b88b593e61d3daf97b0
SSDEEP

6144:vUFRBdL5W/ldm/mGniJA07X7lBL/EMx4RpFLhBvuX/PFj0SP26Lzj2Y8qG+hBs7N:QvnW/4mGZ0rhd/ERRHzGPPNj2Y8qG+hI

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes

delay
61000
install_path
appdata
port
1283
startup_name
bns

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Detects executables packed with ConfuserEx Mod 3 IoCs

resource	yara_rule
behavioral2/memory/560-1-0x00000000005C0000-0x0000000000606000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/560-4-0x0000000004EC0000-0x0000000004F00000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x00080000000235fa-20.dat	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Executes dropped EXE 4 IoCs

pid	Process
1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
1208	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
1464	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
1880	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 set thread context of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 set thread context of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 1480 set thread context of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 set thread context of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 set thread context of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1692	2512	WerFault.exe	93
4080	1464	WerFault.exe	101

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3020	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
Token: SeDebugPrivilege	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 wrote to memory of 2400	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	92
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 wrote to memory of 2512	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	93
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 560 wrote to memory of 956	560	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	94
PID 2400 wrote to memory of 1480	2400	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	96
PID 2400 wrote to memory of 1480	2400	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	96
PID 2400 wrote to memory of 1480	2400	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	96
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 wrote to memory of 1208	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	100
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 wrote to memory of 1464	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	101
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102
PID 1480 wrote to memory of 1880	1480	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	102
PID 956 wrote to memory of 3020	956	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	111
PID 956 wrote to memory of 3020	956	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	111
PID 956 wrote to memory of 3020	956	ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe	111

C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
"C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
  C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
      4⤵
      Executes dropped EXE
      PID:1208
  - - C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
      4⤵
      Executes dropped EXE
      PID:1464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 80
        5⤵
        Program crash
        
        PID:4080
  - - C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
      4⤵
      Executes dropped EXE
      PID:1880
- C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
  C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 80
    3⤵
    - Program crash
    PID:1692
- C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
  C:\Users\Admin\AppData\Local\Temp\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD983.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2512 -ip 2512
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1464 -ip 1464
1⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe.log

Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD983.tmp

Filesize
1KB

MD5
13d0b2f0ba551e25b4c373ea3555151d

SHA1
3971d0c1bd2f13a2bd38845f0b945fb5a3cf3640

SHA256
787ca9156b4d661abf167edfdc6e89dc50c3a76500dc86943a763506942e470c

SHA512
41536d9129b8612837e128529a0a78649e228b6f578162545f275ca699574d9211d37e7f1fbe257e2c2843e0816c71570f8d1601fe0d3656bd76d39a91052b79

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8.exe

Filesize
242KB

MD5
e3194e68bfa1155b7a5d0e895f9eccf1

SHA1
99de13f1eae283988d21f9f07a2646efaf55bc6e

SHA256
ddcff69560db3a7525052baa5941790842f308dbfe0caaa3a84e43f7f6a7f7b8

SHA512
8e49b770e629983cc375899a91fb6f9981a0bc60f07a76446a933be44886e124b54864535c6050dc8792d558d636ca0ce52649786af74b88b593e61d3daf97b0

Download Submit
memory/560-8-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/560-0-0x00000000751DE000-0x00000000751DF000-memory.dmp

Filesize
4KB

Download
memory/560-5-0x000000000DAF0000-0x000000000DB8C000-memory.dmp

Filesize
624KB

Download
memory/560-6-0x000000000E140000-0x000000000E6E4000-memory.dmp

Filesize
5.6MB

Download
memory/560-7-0x000000000DC30000-0x000000000DCC2000-memory.dmp

Filesize
584KB

Download
memory/560-1-0x00000000005C0000-0x0000000000606000-memory.dmp

Filesize
280KB

Download
memory/560-3-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/560-4-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/560-15-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/560-2-0x0000000002920000-0x0000000002926000-memory.dmp

Filesize
24KB

Download
memory/956-24-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/956-16-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/956-38-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1480-37-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/1480-30-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/2400-14-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/2400-29-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/2400-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads