Analysis Overview
SHA256
47556f2d38004c59b08305afb3f8faaefd39d9885c3d28db13c2df51de61eed5
Threat Level: Known bad
The file norizzy.exe was found to be: Known bad.
Malicious Activity Summary
Xenorat family
XenorRat
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-31 22:39
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 22:39
Reported
2024-05-31 22:42
Platform
win11-20240419-en
Max time kernel
147s
Max time network
95s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1480 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\norizzy.exe | C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe |
| PID 1480 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\norizzy.exe | C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe |
| PID 1480 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\norizzy.exe | C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe |
| PID 4812 wrote to memory of 1108 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4812 wrote to memory of 1108 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4812 wrote to memory of 1108 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\norizzy.exe
"C:\Users\Admin\AppData\Local\Temp\norizzy.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "gggggg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp737A.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | character-acquisitions.gl.at.ply.gg | udp |
| US | 147.185.221.17:36301 | character-acquisitions.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 147.185.221.17:36301 | character-acquisitions.gl.at.ply.gg | tcp |
| US | 147.185.221.17:36301 | character-acquisitions.gl.at.ply.gg | tcp |
Files
memory/1480-0-0x00000000751DE000-0x00000000751DF000-memory.dmp
memory/1480-1-0x00000000004C0000-0x00000000004D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\norizzy.exe
| MD5 | a39dade930f828d59e4e86633986356c |
| SHA1 | 956f47e3bd9bc8398acb93a5b62b66e5ae8475ff |
| SHA256 | 47556f2d38004c59b08305afb3f8faaefd39d9885c3d28db13c2df51de61eed5 |
| SHA512 | 99096d1c6b8b0e55d47c1647c5edaae4582e8e4c1211b6ffe76aef299a5b52b5bf2791c5261e8fb86a2d71f4214d7d473202c178d66b61c3830c17ff31f20218 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\norizzy.exe.log
| MD5 | 1294de804ea5400409324a82fdc7ec59 |
| SHA1 | 9a39506bc6cadf99c1f2129265b610c69d1518f7 |
| SHA256 | 494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0 |
| SHA512 | 033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1 |
memory/4812-15-0x00000000751D0000-0x0000000075981000-memory.dmp
memory/4812-16-0x00000000751D0000-0x0000000075981000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp737A.tmp
| MD5 | f09aebed190bf1f0bc30fcd0d98ab535 |
| SHA1 | d9ca0713e9b9aa77ea5c7951aa9b5121cd0bd338 |
| SHA256 | 6d2c57cb04c643f55be3a2e1b225af550b882de81290359ed7b6bf4059d53859 |
| SHA512 | 9635c7635f50678ae01c0f9b9623925592107a9df0adfe6ab8a44f9667ebd93f5c706a765c6d1a120e2c3a8c91a822b8de1a4662bc3a14677922a3c2eba84d5b |
memory/4812-19-0x00000000751D0000-0x0000000075981000-memory.dmp