xenorat | d071868b4382c3506b31854161fde2ca4025f72c990edb2ea5bb304be6fc993a

General

Target

SynapseX.revamaped.V1.4.rar
Size

659KB
MD5

135352fdf658ca571d58e51457bdb786
SHA1

dbd906969016614a4aa002872d0881600e8536e5
SHA256

d071868b4382c3506b31854161fde2ca4025f72c990edb2ea5bb304be6fc993a
SHA512

69486938b91c4ddc703a8992ba3cd0011028d391713cab063fec9747483a08ab9eaccc760d8f01d59db7f8c40d970d3675309836d3948165a559665cfd8bd86b
SSDEEP

12288:MPSH3BnY7Y78MKc1yLt6OX2CqsfcTJalg7BBU0g+6qBeS02xdJXWhd3cEx5sCB9x:SSH3qcqc1yRxtqW4alg7vgpj2zJmhdM4

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

C2

192.168.1.219

Mutex

131313131323

Attributes

delay
1000
install_path
temp
port
1234
startup_name
Windows Client

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 5 IoCs

pid	Process
1476	Synapse X Installer.exe
4672	Synapse X Installer.exe
3200	OoxIi8qtt.exe
2140	OoxIi8qtt.exe
4432	Synapse X Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3680	schtasks.exe
888	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	528	7zG.exe
Token: 35	528	7zG.exe
Token: SeSecurityPrivilege	528	7zG.exe
Token: SeSecurityPrivilege	528	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
528	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1684	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4672	1476	Synapse X Installer.exe	81
PID 1476 wrote to memory of 4672	1476	Synapse X Installer.exe	81
PID 1476 wrote to memory of 4672	1476	Synapse X Installer.exe	81
PID 4672 wrote to memory of 3680	4672	Synapse X Installer.exe	82
PID 4672 wrote to memory of 3680	4672	Synapse X Installer.exe	82
PID 4672 wrote to memory of 3680	4672	Synapse X Installer.exe	82
PID 4432 wrote to memory of 888	4432	Synapse X Installer.exe	87
PID 4432 wrote to memory of 888	4432	Synapse X Installer.exe	87
PID 4432 wrote to memory of 888	4432	Synapse X Installer.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\SynapseX.revamaped.V1.4.rar
1⤵
- Modifies registry class
PID:512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4636

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\" -ad -an -ai#7zMap5081:104:7zEvent11155
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:528

C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\Synapse X Installer.exe
"C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\Synapse X Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD031.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:3680

C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\bin\OoxIi8qtt.exe
"C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\bin\OoxIi8qtt.exe"
1⤵
- Executes dropped EXE
PID:3200

C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\bin\OoxIi8qtt.exe
"C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\bin\OoxIi8qtt.exe"
1⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\Synapse X Installer.exe
"C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\Synapse X Installer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "Windows Client" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4987.tmp" /F
  2⤵
  - Creates scheduled task(s)
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OoxIi8qtt.exe.log

Filesize
1KB

MD5
29075e97065f11e26e1568f241cbc6c7

SHA1
25ce918d770bfc2b291bf392880e8de154646c77

SHA256
5c852828e431dfb822adf978f38293efd4e74da6519ee3390cbdf49d80f52fd8

SHA512
557d771d3918cbc66c7dfa46918c95fe6feb021046d1a96c827f71689a43a2c5402493406457567d10697683d78a101aa602bb25aacc2ec7c3e846c18e38fedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Synapse X Installer.exe.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4987.tmp

Filesize
1KB

MD5
274d5fef49db3dc3788260486ae2f189

SHA1
1c6bc26fb248aa90d62ab4fc3765a23f92ecb8a6

SHA256
a1d082f001e91995e018e306ac1bba5d212990949c1fbe4c7205915b2e161995

SHA512
b3cd0ad8c1cadc90a2680b1778a36ed3ec96123134260fd77bd60cd91651d07e3aa57bc89596f8f9665d67622a23ca1eb99c0ed104cce6508ea654e2a18ede7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD031.tmp

Filesize
1KB

MD5
a27e485b47a3c136c01199b55f08c0d8

SHA1
99a6c183d0673217570cf2e5efcc8bf44d78f483

SHA256
0c297eec1e3f58624331b58ae22a57cdd344071d58942c6897bb6ae1409e95df

SHA512
386fe030cbcb380350e5e5cc8179b76115601ad9b322f90a9d71f76fb2468993986a224796b489c600b4a388d76584772369259ac05d64a6551978e3c9102b60

Download Submit
C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\Synapse X Installer.exe

Filesize
43KB

MD5
769aad21a347b7576895910e55970390

SHA1
36831993993050af72ea201cfa6ebc4726860e56

SHA256
72e0f8bf690b647ae965d9a99f89c4f04c3b9500aac53f2a3fd376a2546b287a

SHA512
9bb36a376f0b3e8a26a813f1054bf92a9ca737bd9eb96403d28b4edb81c361408a058e5ccefda3e44bbf4943d9799203665161b02394d35a05faa20851f670a5

Download Submit
C:\Users\Admin\Desktop\SynapseX.revamaped.V1.4\SynapseX revamaped V1.4\bin\OoxIi8qtt.exe

Filesize
1.1MB

MD5
a48d6b525da2501d8ec661f2f2f1b0e8

SHA1
5737e465e5ffbed6b51e6775b5e05b5769f89e6b

SHA256
a6e52cc20913ae168b7dcbb923ea8cd7bdda93e43399ec22a85dabfab14ddf3a

SHA512
3cf1d6acbf1a3c3e99739af505b57aef7e8db5a2a84db2310c1d6490a097e11065510d2aaaac6ea71fd226b421d87be216993528e245e0bdee9b6000e68e32ab

Download Submit
memory/1476-10-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/3200-22-0x0000000000550000-0x0000000000668000-memory.dmp

Filesize
1.1MB

Download
memory/3200-23-0x00000000051B0000-0x000000000525A000-memory.dmp

Filesize
680KB

Download
memory/3200-24-0x0000000005300000-0x0000000005350000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads