Analysis
-
max time kernel
89s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 12:32
Behavioral task
behavioral1
Sample
Rat Testing/Lime Rat.exe
Resource
win10v2004-20240426-en
Errors
General
-
Target
Rat Testing/Xeno Rat.exe
-
Size
45KB
-
MD5
5bf8a2aeedfb1123eb10af5e0f0e3302
-
SHA1
cdb9c4090f4ff8b9a5d94eaae30c15f4916e177a
-
SHA256
bf0927a0af35c23071466397ab21b38951d5847a4c7dda419d83a1a98183b12f
-
SHA512
3fa42409cea75c32b6323567fd7f03f10fd220fd73a93e4ba4d6bf998b228377e404d1a050f32e952b742c8d89a7e2384c14129608814711e285bfad33024983
-
SSDEEP
768:FdhO/poiiUcjlJInrVH9Xqk5nWEZ5SbTDazuI7CPW5j:bw+jjgnRH9XqcnW85SbT2uIb
Malware Config
Extracted
xenorat
147.185.221.20
TestingRat
-
install_path
appdata
-
port
3403
-
startup_name
Console
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Xeno Rat.exe -
Executes dropped EXE 1 IoCs
pid Process 1588 Xeno Rat.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: Xeno Rat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5016 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe 1588 Xeno Rat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1588 Xeno Rat.exe Token: 33 3504 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3504 AUDIODG.EXE Token: SeShutdownPrivilege 1588 Xeno Rat.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3068 wrote to memory of 1588 3068 Xeno Rat.exe 82 PID 3068 wrote to memory of 1588 3068 Xeno Rat.exe 82 PID 3068 wrote to memory of 1588 3068 Xeno Rat.exe 82 PID 1588 wrote to memory of 5016 1588 Xeno Rat.exe 83 PID 1588 wrote to memory of 5016 1588 Xeno Rat.exe 83 PID 1588 wrote to memory of 5016 1588 Xeno Rat.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3587.tmp" /F3⤵
- Creates scheduled task(s)
PID:5016
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x31c 0x4c01⤵
- Suspicious use of AdjustPrivilegeToken
PID:3504
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD50e29fbc9d75d451bb7b67f39780c4a90
SHA1e1029b49a55d95816055da478445478d019b8683
SHA25634268bc2fe7b655c624dfba5e5740aa5d8c816d13e917a46211c746ae4ab8bf9
SHA512817216c5022e6faee6ef3f35f57d6e7d1238333c461c6dffc2c77f332a670ea0e772f2f910e45ef76c36427bec36f16c55e2fb9ce11f11e0a465c3980e6f1a1c
-
Filesize
45KB
MD55bf8a2aeedfb1123eb10af5e0f0e3302
SHA1cdb9c4090f4ff8b9a5d94eaae30c15f4916e177a
SHA256bf0927a0af35c23071466397ab21b38951d5847a4c7dda419d83a1a98183b12f
SHA5123fa42409cea75c32b6323567fd7f03f10fd220fd73a93e4ba4d6bf998b228377e404d1a050f32e952b742c8d89a7e2384c14129608814711e285bfad33024983