Analysis
-
max time kernel
147s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 22:39
General
-
Target
norizzy.exe
-
Size
45KB
-
MD5
a39dade930f828d59e4e86633986356c
-
SHA1
956f47e3bd9bc8398acb93a5b62b66e5ae8475ff
-
SHA256
47556f2d38004c59b08305afb3f8faaefd39d9885c3d28db13c2df51de61eed5
-
SHA512
99096d1c6b8b0e55d47c1647c5edaae4582e8e4c1211b6ffe76aef299a5b52b5bf2791c5261e8fb86a2d71f4214d7d473202c178d66b61c3830c17ff31f20218
-
SSDEEP
768:5dhO/poiiUcjlJInOsPH9Xqk5nWEZ5SbTDaLluI7CPW5o:3w+jjgnZPH9XqcnW85SbTEuIg
Malware Config
Extracted
xenorat
character-acquisitions.gl.at.ply.gg
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
36301
-
startup_name
gggggg
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
norizzy.exepid process 4812 norizzy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
norizzy.exenorizzy.exedescription pid process target process PID 1480 wrote to memory of 4812 1480 norizzy.exe norizzy.exe PID 1480 wrote to memory of 4812 1480 norizzy.exe norizzy.exe PID 1480 wrote to memory of 4812 1480 norizzy.exe norizzy.exe PID 4812 wrote to memory of 1108 4812 norizzy.exe schtasks.exe PID 4812 wrote to memory of 1108 4812 norizzy.exe schtasks.exe PID 4812 wrote to memory of 1108 4812 norizzy.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\norizzy.exe"C:\Users\Admin\AppData\Local\Temp\norizzy.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe"C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "gggggg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp737A.tmp" /F3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\norizzy.exe.logFilesize
226B
MD51294de804ea5400409324a82fdc7ec59
SHA19a39506bc6cadf99c1f2129265b610c69d1518f7
SHA256494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0
SHA512033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1
-
C:\Users\Admin\AppData\Local\Temp\tmp737A.tmpFilesize
1KB
MD5f09aebed190bf1f0bc30fcd0d98ab535
SHA1d9ca0713e9b9aa77ea5c7951aa9b5121cd0bd338
SHA2566d2c57cb04c643f55be3a2e1b225af550b882de81290359ed7b6bf4059d53859
SHA5129635c7635f50678ae01c0f9b9623925592107a9df0adfe6ab8a44f9667ebd93f5c706a765c6d1a120e2c3a8c91a822b8de1a4662bc3a14677922a3c2eba84d5b
-
C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exeFilesize
45KB
MD5a39dade930f828d59e4e86633986356c
SHA1956f47e3bd9bc8398acb93a5b62b66e5ae8475ff
SHA25647556f2d38004c59b08305afb3f8faaefd39d9885c3d28db13c2df51de61eed5
SHA51299096d1c6b8b0e55d47c1647c5edaae4582e8e4c1211b6ffe76aef299a5b52b5bf2791c5261e8fb86a2d71f4214d7d473202c178d66b61c3830c17ff31f20218
-
memory/1480-0-0x00000000751DE000-0x00000000751DF000-memory.dmpFilesize
4KB
-
memory/1480-1-0x00000000004C0000-0x00000000004D2000-memory.dmpFilesize
72KB
-
memory/4812-15-0x00000000751D0000-0x0000000075981000-memory.dmpFilesize
7.7MB
-
memory/4812-16-0x00000000751D0000-0x0000000075981000-memory.dmpFilesize
7.7MB
-
memory/4812-19-0x00000000751D0000-0x0000000075981000-memory.dmpFilesize
7.7MB