Analysis Overview
SHA256
f0f5b2b8f43bfec5114b21a4abfeb0f225cb8e5b55ed276b43583caaab7c70e3
Threat Level: Known bad
The file WavePreTest.exe was found to be: Known bad.
Malicious Activity Summary
Xenorat family
XenorRat
Executes dropped EXE
Reads user/profile data of web browsers
Enumerates connected drives
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-30 03:12
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 03:12
Reported
2024-05-30 03:14
Platform
win10-20240404-en
Max time kernel
100s
Max time network
121s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4128 wrote to memory of 508 | N/A | C:\Users\Admin\AppData\Local\Temp\WavePreTest.exe | C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe |
| PID 4128 wrote to memory of 508 | N/A | C:\Users\Admin\AppData\Local\Temp\WavePreTest.exe | C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe |
| PID 4128 wrote to memory of 508 | N/A | C:\Users\Admin\AppData\Local\Temp\WavePreTest.exe | C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WavePreTest.exe
"C:\Users\Admin\AppData\Local\Temp\WavePreTest.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | david-login.gl.at.ply.gg | udp |
| US | 147.185.221.19:54479 | david-login.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.19:54479 | david-login.gl.at.ply.gg | tcp |
| US | 147.185.221.19:54479 | david-login.gl.at.ply.gg | tcp |
| US | 147.185.221.19:54479 | david-login.gl.at.ply.gg | tcp |
| US | 147.185.221.19:54479 | david-login.gl.at.ply.gg | tcp |
| US | 147.185.221.19:54479 | david-login.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:54479 | david-login.gl.at.ply.gg | tcp |
| US | 147.185.221.19:54479 | david-login.gl.at.ply.gg | tcp |
Files
memory/4128-0-0x00000000731AE000-0x00000000731AF000-memory.dmp
memory/4128-1-0x00000000009E0000-0x0000000000A24000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\WavePreTest.exe
| MD5 | 5e5f3675c35d20f0f178656ef3050610 |
| SHA1 | 1c3b806ecf7b9b26dd1c1a1ccead6cab4acb86e5 |
| SHA256 | f0f5b2b8f43bfec5114b21a4abfeb0f225cb8e5b55ed276b43583caaab7c70e3 |
| SHA512 | 802a3cd68693bbfc86e69f20d734d7ee57188a5649715822da5d463496916b1789aef05315738493efe8160d9c1e8bb9b982f548a13ae841d314e920aac22779 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WavePreTest.exe.log
| MD5 | 957779c42144282d8cd83192b8fbc7cf |
| SHA1 | de83d08d2cca06b9ff3d1ef239d6b60b705d25fe |
| SHA256 | 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51 |
| SHA512 | f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd |
memory/508-9-0x00000000731A0000-0x000000007388E000-memory.dmp
memory/508-10-0x00000000731A0000-0x000000007388E000-memory.dmp
memory/508-11-0x0000000005E20000-0x0000000005E86000-memory.dmp
memory/508-12-0x00000000731A0000-0x000000007388E000-memory.dmp
memory/508-13-0x0000000005830000-0x000000000583A000-memory.dmp
memory/508-14-0x0000000006790000-0x0000000006C8E000-memory.dmp
memory/508-15-0x0000000005A90000-0x0000000005B22000-memory.dmp
memory/508-16-0x0000000005E00000-0x0000000005E0A000-memory.dmp
memory/508-17-0x00000000731A0000-0x000000007388E000-memory.dmp
memory/508-18-0x0000000006250000-0x000000000634A000-memory.dmp
memory/508-19-0x0000000009A30000-0x0000000009BF2000-memory.dmp
memory/508-20-0x00000000079E0000-0x0000000007A30000-memory.dmp
memory/508-21-0x00000000094C0000-0x0000000009536000-memory.dmp
memory/508-22-0x000000000A130000-0x000000000A65C000-memory.dmp
memory/508-23-0x00000000096D0000-0x00000000096EE000-memory.dmp
memory/508-25-0x0000000009800000-0x000000000989C000-memory.dmp
memory/508-40-0x0000000006350000-0x000000000635A000-memory.dmp