Overview

overview

10

Static

static

10

client.exe

windows10-1703-x64

10

Resubmissions

31-05-2024 23:08

240531-24wtxshg26 10

31-05-2024 23:06

240531-23da7agh4s 10

31-05-2024 23:03

240531-21s9magg7x 10

Analysis

  • max time kernel
    814s
  • max time network
    1593s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-05-2024 23:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    client.exe

  • Size

    45KB

  • MD5

    1acd506e251f840ff4aebd32401a68ab

  • SHA1

    38ce2a41d59a1bf0f3332fb867f43794c39577af

  • SHA256

    b55e1e8555367114aff90727da651e37d8662a2678041b8f50f19fd8a397f984

  • SHA512

    26c74ecb9a20848f0b6bf9a1b9b0ccbc67d1b281337d50bafdf93382f1bf4f89f19669e5a278df8ff032092ede9597d0142b8e2718b0e7bbb034c3e78b84c5c4

  • SSDEEP

    768:wdhO/poiiUcjlJInKTH9Xqk5nWEZ5SbTDaSuI7CPW5k:iw+jjgn8H9XqcnW85SbTvuIM

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

people-weekend.gl.at.ply.gg

Mutex

somerandomvalue

Attributes
  • install_path

    appdata

  • port

    5719

  • startup_name

    Console

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\client.exe
    "C:\Users\Admin\AppData\Local\Temp\client.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3672
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70EA.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:5096
      • \??\c:\windows\SysWOW64\cmstp.exe
        "c:\windows\system32\cmstp.exe" /au C:\windows\temp\nr1yzpog.inf
        3⤵
          PID:2428
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start "" "C:\Users\Admin\AppData\Roaming\XenoManager\client.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:5020
        • C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\client.exe"
          3⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1436
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC55E.tmp" /F
            4⤵
            • Creates scheduled task(s)
            PID:4152
          • C:\Windows\system32\cmd.exe
            cmd /c start "" "%windir%\system32\fodhelper.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Windows\system32\fodhelper.exe
              "C:\Windows\system32\fodhelper.exe"
              5⤵
              • Drops file in Windows directory
              • Suspicious use of WriteProcessMemory
              PID:4640
              • C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
                "C:\Users\Admin\AppData\Roaming\XenoManager\client.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1776
                • C:\Windows\SysWOW64\schtasks.exe
                  "schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E98.tmp" /F
                  7⤵
                  • Creates scheduled task(s)
                  PID:692
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /IM cmstp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2368

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\client.exe.log
      Filesize

      226B

      MD5

      957779c42144282d8cd83192b8fbc7cf

      SHA1

      de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

      SHA256

      0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

      SHA512

      f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp70EA.tmp
      Filesize

      1KB

      MD5

      fdd36139980f5cbfef3360123665b96c

      SHA1

      faf5353ca339065426642578c3913906e892becf

      SHA256

      ff95b1308fc4294f5d6dcb0c171633387d81b4f2efda617292eb784615b17bed

      SHA512

      2ab91e7733c16300feda4efa61cc11baf21245f85c4cccd08e92c5fd61cfa03d206ba04939362733ce26385dfd66ab4524cd1a0da2c779a7e0ce9d00b4e5e31b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\XenoManager\client.exe
      Filesize

      45KB

      MD5

      1acd506e251f840ff4aebd32401a68ab

      SHA1

      38ce2a41d59a1bf0f3332fb867f43794c39577af

      SHA256

      b55e1e8555367114aff90727da651e37d8662a2678041b8f50f19fd8a397f984

      SHA512

      26c74ecb9a20848f0b6bf9a1b9b0ccbc67d1b281337d50bafdf93382f1bf4f89f19669e5a278df8ff032092ede9597d0142b8e2718b0e7bbb034c3e78b84c5c4

      Download Submit
    • C:\windows\temp\nr1yzpog.inf
      Filesize

      640B

      MD5

      e5f4dea5737dddfd1df15c57f3c943f0

      SHA1

      7f2cd41f33a8b5590fbf2a24b5be109e0f5527a8

      SHA256

      b2b076496dc2679c066974a83ebb0d8a56e14c9a0a8e8934d5e85f670a500e76

      SHA512

      eed20ad62b5f91a86c65d547795b5f07d86029983e9ba30dc5937341c6ffdec5e684862f3f8c91d59ee9197b4b573ff76f6c387329df096b0d345a0b702d08e6

      Download Submit
    • memory/1296-1-0x0000000000A50000-0x0000000000A62000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1296-0-0x000000007354E000-0x000000007354F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3672-14-0x0000000005190000-0x000000000519A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3672-13-0x0000000005790000-0x00000000057F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3672-11-0x0000000073540000-0x0000000073C2E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3672-15-0x0000000005BA0000-0x0000000005C32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3672-16-0x0000000006140000-0x000000000663E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3672-17-0x0000000073540000-0x0000000073C2E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3672-18-0x0000000073540000-0x0000000073C2E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3672-19-0x0000000000C90000-0x0000000000C9C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3672-10-0x0000000073540000-0x0000000073C2E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3672-22-0x0000000005670000-0x000000000567A000-memory.dmp
      Filesize

      40KB

      Download