Analysis Overview
SHA256
b55e1e8555367114aff90727da651e37d8662a2678041b8f50f19fd8a397f984
Threat Level: Known bad
The file client.exe was found to be: Known bad.
Malicious Activity Summary
Xenorat family
XenorRat
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-31 23:06
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 23:06
Reported
2024-05-31 23:08
Platform
win10-20240404-en
Max time kernel
102s
Max time network
111s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\client.exe | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe |
| PID 2872 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\client.exe | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe |
| PID 2872 wrote to memory of 4908 | N/A | C:\Users\Admin\AppData\Local\Temp\client.exe | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe |
| PID 4908 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4908 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4908 wrote to memory of 3432 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\client.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC08.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | people-weekend.gl.at.ply.gg | udp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
| US | 147.185.221.20:5719 | people-weekend.gl.at.ply.gg | tcp |
Files
memory/2872-0-0x000000007341E000-0x000000007341F000-memory.dmp
memory/2872-1-0x0000000000200000-0x0000000000212000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
| MD5 | 1acd506e251f840ff4aebd32401a68ab |
| SHA1 | 38ce2a41d59a1bf0f3332fb867f43794c39577af |
| SHA256 | b55e1e8555367114aff90727da651e37d8662a2678041b8f50f19fd8a397f984 |
| SHA512 | 26c74ecb9a20848f0b6bf9a1b9b0ccbc67d1b281337d50bafdf93382f1bf4f89f19669e5a278df8ff032092ede9597d0142b8e2718b0e7bbb034c3e78b84c5c4 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\client.exe.log
| MD5 | 957779c42144282d8cd83192b8fbc7cf |
| SHA1 | de83d08d2cca06b9ff3d1ef239d6b60b705d25fe |
| SHA256 | 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51 |
| SHA512 | f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd |
memory/4908-10-0x0000000073410000-0x0000000073AFE000-memory.dmp
memory/4908-11-0x0000000073410000-0x0000000073AFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDC08.tmp
| MD5 | fdd36139980f5cbfef3360123665b96c |
| SHA1 | faf5353ca339065426642578c3913906e892becf |
| SHA256 | ff95b1308fc4294f5d6dcb0c171633387d81b4f2efda617292eb784615b17bed |
| SHA512 | 2ab91e7733c16300feda4efa61cc11baf21245f85c4cccd08e92c5fd61cfa03d206ba04939362733ce26385dfd66ab4524cd1a0da2c779a7e0ce9d00b4e5e31b |
memory/4908-13-0x0000000006330000-0x0000000006396000-memory.dmp
memory/4908-14-0x0000000073410000-0x0000000073AFE000-memory.dmp
memory/4908-15-0x0000000005F00000-0x0000000005F12000-memory.dmp
memory/4908-16-0x0000000073410000-0x0000000073AFE000-memory.dmp
memory/4908-17-0x0000000001480000-0x000000000148A000-memory.dmp
memory/4908-18-0x0000000006EA0000-0x000000000739E000-memory.dmp