Analysis
-
max time kernel
147s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 22:39
General
-
Target
norizzy.exe
-
Size
45KB
-
MD5
a39dade930f828d59e4e86633986356c
-
SHA1
956f47e3bd9bc8398acb93a5b62b66e5ae8475ff
-
SHA256
47556f2d38004c59b08305afb3f8faaefd39d9885c3d28db13c2df51de61eed5
-
SHA512
99096d1c6b8b0e55d47c1647c5edaae4582e8e4c1211b6ffe76aef299a5b52b5bf2791c5261e8fb86a2d71f4214d7d473202c178d66b61c3830c17ff31f20218
-
SSDEEP
768:5dhO/poiiUcjlJInOsPH9Xqk5nWEZ5SbTDaLluI7CPW5o:3w+jjgnZPH9XqcnW85SbTEuIg
Malware Config
Extracted
xenorat
character-acquisitions.gl.at.ply.gg
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
36301
-
startup_name
gggggg
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4812 norizzy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1108 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1480 wrote to memory of 4812 1480 norizzy.exe 80 PID 1480 wrote to memory of 4812 1480 norizzy.exe 80 PID 1480 wrote to memory of 4812 1480 norizzy.exe 80 PID 4812 wrote to memory of 1108 4812 norizzy.exe 81 PID 4812 wrote to memory of 1108 4812 norizzy.exe 81 PID 4812 wrote to memory of 1108 4812 norizzy.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\norizzy.exe"C:\Users\Admin\AppData\Local\Temp\norizzy.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe"C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "gggggg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp737A.tmp" /F3⤵
- Creates scheduled task(s)
PID:1108
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD51294de804ea5400409324a82fdc7ec59
SHA19a39506bc6cadf99c1f2129265b610c69d1518f7
SHA256494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0
SHA512033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1
-
Filesize
1KB
MD5f09aebed190bf1f0bc30fcd0d98ab535
SHA1d9ca0713e9b9aa77ea5c7951aa9b5121cd0bd338
SHA2566d2c57cb04c643f55be3a2e1b225af550b882de81290359ed7b6bf4059d53859
SHA5129635c7635f50678ae01c0f9b9623925592107a9df0adfe6ab8a44f9667ebd93f5c706a765c6d1a120e2c3a8c91a822b8de1a4662bc3a14677922a3c2eba84d5b
-
Filesize
45KB
MD5a39dade930f828d59e4e86633986356c
SHA1956f47e3bd9bc8398acb93a5b62b66e5ae8475ff
SHA25647556f2d38004c59b08305afb3f8faaefd39d9885c3d28db13c2df51de61eed5
SHA51299096d1c6b8b0e55d47c1647c5edaae4582e8e4c1211b6ffe76aef299a5b52b5bf2791c5261e8fb86a2d71f4214d7d473202c178d66b61c3830c17ff31f20218