Analysis Overview
score
10/10
SHA256
a3254b90b2c6e12c29f7d9f538087da2d4bb7f64d003c591c8936cee7dd74b39
Threat Level: Known bad
The file hjhjjhjh.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Xenorat family
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-31 22:41
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 22:41
Reported
2024-05-31 22:43
Platform
win11-20240508-en
Max time kernel
132s
Max time network
149s
Command Line
"C:\Users\Admin\AppData\Local\Temp\hjhjjhjh.exe"
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4348 wrote to memory of 1468 | N/A | C:\Users\Admin\AppData\Local\Temp\hjhjjhjh.exe | C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe |
| PID 4348 wrote to memory of 1468 | N/A | C:\Users\Admin\AppData\Local\Temp\hjhjjhjh.exe | C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe |
| PID 4348 wrote to memory of 1468 | N/A | C:\Users\Admin\AppData\Local\Temp\hjhjjhjh.exe | C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe |
| PID 1468 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1468 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 1468 wrote to memory of 4000 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\hjhjjhjh.exe
"C:\Users\Admin\AppData\Local\Temp\hjhjjhjh.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "gggggg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65BF.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.17:5050 | character-acquisitions.gl.at.ply.gg | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.17:5050 | character-acquisitions.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5050 | character-acquisitions.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5050 | character-acquisitions.gl.at.ply.gg | tcp |
| US | 147.185.221.17:5050 | character-acquisitions.gl.at.ply.gg | tcp |
Files
memory/4348-0-0x00000000751BE000-0x00000000751BF000-memory.dmp
memory/4348-1-0x0000000000F90000-0x0000000000FA2000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\hjhjjhjh.exe
| MD5 | 4091b1844d11374da445542dae37c305 |
| SHA1 | 029f3396c39f543dd984031eb82edcc035ed0a25 |
| SHA256 | a3254b90b2c6e12c29f7d9f538087da2d4bb7f64d003c591c8936cee7dd74b39 |
| SHA512 | c0a7709ed26d1643776dddb992fdf4910247da5b7548b1780212ad7183bc295a58832243d99ea68e84807ad4db4d5895dcec79f32f3464a1a97ba6ae02d447eb |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hjhjjhjh.exe.log
| MD5 | 1294de804ea5400409324a82fdc7ec59 |
| SHA1 | 9a39506bc6cadf99c1f2129265b610c69d1518f7 |
| SHA256 | 494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0 |
| SHA512 | 033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1 |
memory/1468-15-0x00000000751B0000-0x0000000075961000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp65BF.tmp
| MD5 | 1da92f89439d606693cb5fe544506d3f |
| SHA1 | 6b16ca9e828f603b4dab3da05a41b7581e11eccf |
| SHA256 | 5395d00c0c209d074abb317ce84f2bea3b59d9a5988a6f1dce1a726efdd551b7 |
| SHA512 | 2a7803ef21453f8597de421b2aa12cad262dbb5f29d27f6307877469079d4b07a18d6e65ada7c268eeaed3f57111f8c1a100d6e86881c886a6da5950856700ea |
C:\Users\Admin\Desktop\OutRegister.pps
| MD5 | 6c54e079dbcd795f66f2d50d8012f366 |
| SHA1 | e1cd4ccdbd12a4259fdc2a69fbf1bd3fc398935f |
| SHA256 | 20da181f389e6fcd1f6cd8c12712436cf19ea459376fa2c9d660b73cffed6e68 |
| SHA512 | 7db77c67c59b1bb23253007abb6ab84d6e596ba5eca6a34c702d751742c63a0cf1641b422ce74613144cd5496dd6210e570e74dd00c963c0bec4e9e5433f24b4 |
C:\Users\Admin\Desktop\PopResolve.au3
| MD5 | 2130de3ba75166a13f31c2c50bede05e |
| SHA1 | d1e8fd8995ba3c5e46aa3afbe84cc42f792c0013 |
| SHA256 | 2941cc2efdfc1d4d6118deb872d1861d163c4aacb2f45a387142dfad3c8445e0 |
| SHA512 | 681c91f601841485d06673925081f0febdb11eb9a605949dd4506b336ac67b40559032bcd11a0fa4c70eb1b2b7a52d1b1a7a3aea99a49da6798da21c47203aa3 |
C:\Users\Admin\Desktop\RestoreUse.jpeg
| MD5 | 16fc2134c5575b8be3c91996ac1267b7 |
| SHA1 | 92a150d480bb3234f614310e07ae1924f52c77a4 |
| SHA256 | b39f96fc4b626ad6d056baf1e2427f294a51fec523505acea178b3575fec560e |
| SHA512 | 17f9b260b8c29fce19b5c72ff921e798ea04185c03a27e5cdb60214bcd2da0beacaac5c9605ad709758347f671d46ed78e312c8e5852687456a2a42b5a04fe2c |
C:\Users\Admin\Desktop\RestoreRemove.xlt
| MD5 | ef8e15994c10eeda66fc840f516d703e |
| SHA1 | 68b22c9fbbc8ab0bf9dd5e3a3ffdb668129265bc |
| SHA256 | 33884594aabada9195b4fa205528f64afb93045b0c19e92700a2d7fbc9fe06b8 |
| SHA512 | aa08bc00fcf6e17206ecaecb75b0a0ffc49367feeded0fe9acbe9b563150e8f2ff74b3b00ca51dc552852a755a85c9397349b0ead91747e5aaf9573bfd68555d |
C:\Users\Admin\Desktop\SplitFormat.ram
| MD5 | a001dfad7fa0e47935d7714c735726a7 |
| SHA1 | 1225bae061b32d360fd789f94e50f61b462eeae3 |
| SHA256 | 8c5190091a7c7fa48c9852977768888243b33c679cf92da9b1b97d10d0926827 |
| SHA512 | dca757cb9586afa77d24d4190101d66f9f3fdfd01c7c5f0340e1e74a451003774f0ad5c780a6e3aeb5db7f42186c7166ad08f93f91c48947991e628ffca001eb |
C:\Users\Admin\Desktop\SendMove.MOD
| MD5 | f1134d3b9723c3bfc9c029ccc255e5bd |
| SHA1 | eacf9a93daf5d707e1fe30fa3db551aeab173669 |
| SHA256 | df916a74bb5a3d2051e9a6cce996ce28db93bd9b0af4d882e136c0db06a21669 |
| SHA512 | 02e21d7d6df83990e3b6b834c096e086f6d4df8804ac73d64cc7ac7007cbe36f22940723a78b993756d8ac7b42f42f6bc80bb60934248a516b2ce6d7c44d4bea |
C:\Users\Admin\Desktop\RegisterDismount.tif
| MD5 | d529956bfe4fe47ada3a9861a818f926 |
| SHA1 | 3e0b59227383eb13623e8caa086d475fd5a46375 |
| SHA256 | 5a17c8ab9abaf7fadd9a3aa773f30069e694377bb0b441fb2bd927ac740b6538 |
| SHA512 | faad75aae0c7577d33556df0c9552ec6c53d0f88fb6a32409da6e8413729b4729457165bf62857f0e18ee0a4e821ac9c8b8a308816864b57d0716d6b7057843e |
C:\Users\Admin\Desktop\StepUnregister.wmx
| MD5 | b0585fbb5902d483f1b76bde2d508e10 |
| SHA1 | 3cb8dba5c8cdaab2a1d2f8f1307f96a912b0c66d |
| SHA256 | cbc83a3c94197be9d959698f6a57aa90933575fec7a18761e444363088498940 |
| SHA512 | 836ab3b92bfd14db0fa826c1bd65f163876ec06c626fda60b56dcf45a5f47e1986974ceb1778f274df1a943c78072a801e98bd0c4fb27f91164911aba751bb1d |
C:\Users\Admin\Desktop\UnlockSplit.cab
| MD5 | a9b1b4c603cf5b3d2cf1b5800b344de0 |
| SHA1 | b1514b6b8ebbda23bae562f47172705f171addfc |
| SHA256 | 79d2205dc1737489e1f18843d890702c101224bab5d823b0262695b41d2f381a |
| SHA512 | 6c0945122d1d52fe20050ceff26bc879734ebf5cc0951a2c9bcf531ca2f8a5debca121bb67c2185af59a94000bd933b4a46c0f61a49534677d6835638036945c |
C:\Users\Admin\Desktop\NewExport.lnk
| MD5 | 0afe855a3c7be3a4c364bb27d7deadf4 |
| SHA1 | 1685488b848eb8d6d51b06e1f2123e3fc2e5d8fb |
| SHA256 | 7c3a4e0e222a814ab95cdf7c30c36b1c0f7284c84f6410170df3f9dad764b5a0 |
| SHA512 | 293ba2fcde4ff89c1cf584e184b64f7e20514e08c2f72010b804d18f2841dbc27bd6cf2e9b409cd08d0638f371b878d632e4ab7cc34c7eb48dbd69e54e1523a9 |
C:\Users\Admin\Desktop\MergeWrite.mov
| MD5 | 7e2817a5c13073cec3777528f939d35c |
| SHA1 | e23b0b5d1ba6b0d41323eb5b5bb06e137b0293c5 |
| SHA256 | 06aa7b3c7b8f62f5a93367f5ade9c513a68266b99e5345923b75a6a9f95f3c9c |
| SHA512 | a83d1a7dd7d55f028183fd2903f35d7e99f73d4a6f46962f947e4af4e106556734a5f84aafd37094a37e17dbb00a8c845878b2939dd5f75a0ff90ce469831ae2 |
C:\Users\Admin\Desktop\OpenMeasure.jpeg
| MD5 | 029ab880550c16073c30616d8b5c755f |
| SHA1 | d386a32cc91129931e21d55ed9e9ded025108a9a |
| SHA256 | 3c43d3bff8147d649d19b81f08f23a38479df1e20e8929f41877b3de78296e5b |
| SHA512 | d69941b7cbc2f47fba010effc840793001db2e93c48d858b1e839e7953c2ac5eac8f34a0891ec0226d654fe37462d08efff4f62393a0a3ade1c455be53e4c057 |
memory/1468-30-0x00000000751B0000-0x0000000075961000-memory.dmp
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | df47fd7ae962d9b1044ed98310404a71 |
| SHA1 | d5ebf33ac616c087480780e86882711414582b52 |
| SHA256 | 902042b86861ce27140f969f1ef8916dfe11d556879c28e0dad6ec83297abbad |
| SHA512 | 657f1ed96368fecf50cc3f5ddcdef828d5c1b281aeb4c8a2b70aa45ca7ef27b1f97162039edfc2a2258d97e0d1fe91568d6b84da1adfbc04a30db6ee7db7dcd1 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | ee35b089030ec91819fee975675b1fed |
| SHA1 | 8212050ac2dc6d9c1b9bf762ef1c47f0226c4ceb |
| SHA256 | 2e6377cdd8f352c73f956d2888aca057b28b74bbe1760aa55de30f23acfd658b |
| SHA512 | c0d606f41d63d3b279d2bf35400c4b86dc34fbc48276d942dd5e437a2123039c3650e4d28328d75f8ae00473f6f79c5baca14be21dcfc01fc7b07f8a1fbdbc09 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 4b89cf22544f4e5400f6254c0ac6d06c |
| SHA1 | 13503eb478312003d5e7b7e19e465f83a670425a |
| SHA256 | e52141cc2ceec8397a2460331c98a5089ae978cf57ae319df0b9ddea75b1fbf2 |
| SHA512 | e059c11180e2bb97417b2e8e342a53e5d698d711ec8ca7a162103e04d5f966c189185c3bdd8aabf7f9eecb4559811c3be182d4b7e1ec536a95bd9aba2da0bfc8 |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 76ee20775e47f5f40e5f216d85f7f0bb |
| SHA1 | d1849321974de5f39e69986165b33011332cf942 |
| SHA256 | 9cc9bd7a4c7dcbce05d4033ba06424ed8bf4d9829204a763f61bb67bcb6406d2 |
| SHA512 | dc949848d830b0a1289306b7da491d390e117143b0a57ac2399d7435efc864a95f42dc62ec4aa7b894231fbc3b5131a6c23298843516005263db2a1a4b4d5fc0 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | f3270104f972b080a402eab7623f0492 |
| SHA1 | a540f5dbb21ef6cba15488235126837ecc0ee542 |
| SHA256 | ea796431163905d0123b2866605076476965ab6bb80d38026d98ad2350aa7d41 |
| SHA512 | 87756a6dc356c3cd6edc8910cc0ebcf8f21509ffef9dc1e8236e5ee1603c2abcf27ae83043dd8ad269f7c93c81d7f221185929380f70dbff5e617648535bae86 |
C:\Users\Admin\Desktop\ConvertFromSwitch.otf
| MD5 | 7da359bb4b3af50280e2d4b077f392fe |
| SHA1 | 8eb59559490e4fbca9f1b835b069f08197990ce7 |
| SHA256 | 60f8d1d0d11dfc2e46ee8234731306237947ab20d83d9aec28308ea015097a6a |
| SHA512 | 285cceb6d8baaa796b6fdd9fa1bc6a02c860d3d6cb37c0d73adc5e5ccc3cb7e772317179d88c76135fc3d476200300d39cb4b26f549db9ad859fb3fdad484324 |
C:\Users\Admin\Desktop\DebugAdd.rtf
| MD5 | 572816d0999f0544118c9d57a8b3308b |
| SHA1 | db5e2030404b5471c18149d26bf81bba89b961f1 |
| SHA256 | 8c73024820d3d2ea5ff19f64e1d7389124468da42720338657de88f52e069338 |
| SHA512 | fa28b6f0572c638e27390dcb8637a8df5809c91703877fcacdf1871081ec4cad65b13c571023951c3a37952dc37822e945c5d27fa41e2bb8efb2360744651c35 |
C:\Users\Admin\Desktop\EnterStop.odp
| MD5 | 0fd57088953af1854276c5e898a4b206 |
| SHA1 | 23fe32cfadee20f3c64790e90c1ab91cc3fff167 |
| SHA256 | d984f643e230587697c186d40f317c4317dea4d2dcdaea270e1540276ed75d75 |
| SHA512 | ecbe312a59155c57f89c5e82f591beace316c7210581f49f61a012445c6f947ad90e65cc777d867962dc8ea52826b5a516dec13bd3deb8ee40757250fd626441 |
C:\Users\Admin\Desktop\LockEnter.vsw
| MD5 | 1c28e7fed35a0557800e3d5dc5252e16 |
| SHA1 | 47982b76f4d141648a590d1a57fa02e7aa72dddf |
| SHA256 | 21eac83e7ed6cdbfc03da5bedba39765e9273c3ac114804945143cfd82660ac2 |
| SHA512 | 8879fc7981539a5594d2b40d2fa496abc66865eba4f9b6d1cb4e9e1075ef076e0078e4ce0c7e3b64d41bf942badd09b9c4516cfe045dee0e6ef5be9163af41a9 |
C:\Users\Admin\Desktop\ImportSync.mpeg3
| MD5 | ae91b1455ea24165f6f8c5f2d8f5caa1 |
| SHA1 | ba6db900ff35cce2b2b70ccf1acd3120f2d0c8d8 |
| SHA256 | 781836e3086420cae3bf8e62171c22da762210f2b87f38f61a0d7c2af01be4d1 |
| SHA512 | da9e7eeee9a25ba83a03a57cff6e54437914c8e347adf87947cbaed02199c46d9fefc28dc7aaa49a1c80d35d1b0c6fd5780c77eaf1eab76b3e98d8f52bc0ce4c |
C:\Users\Admin\Desktop\GroupSuspend.odt
| MD5 | 7b0e0e9c4f1c2afa5bc8cf983950f74c |
| SHA1 | 80652e8b74b5ac295168fdea5424f8f129f9fb5a |
| SHA256 | 39225ae1e78f8c2f21df4d2c0d282af72173f31506e331677be7f7dd03281896 |
| SHA512 | 12fd60fa2a61f0fb68195256760d5ef70c6c0833fb2bac6441f458652cfff0f4066cec29af79e094a8865db7d559a56d2a7d974e3400b8d4590e4b83f385aed2 |
C:\Users\Admin\Desktop\FormatProtect.snd
| MD5 | cd5bfec149aa8bdfba6efcb52865da14 |
| SHA1 | 239eda79a3e9b89c513f9dc345627994c42cc691 |
| SHA256 | 87b394ad200c06292fbc87b9269ac49c79a49674a588c05114682c42bcac7db8 |
| SHA512 | 4bc190151aaa41206bee569268b2dde9b734f90d8695c765e5efcf45c313c7efa1e06f00c02449aac4a9c656fb638a512e811404e08f5287ea6e5a66ab153e14 |
C:\Users\Admin\Desktop\ExitClose.iso
| MD5 | 2347c654220546e72aa9870edece6371 |
| SHA1 | dfc16a5e769dadf61b643545609688ee50760310 |
| SHA256 | 0c064e1647c8c6b6157063dff7de0059071ad73bbb2211712ccb74de22d509e8 |
| SHA512 | 71df064e6f1b376fa0642e67b1a3204e1ec5b779ce41f9db2e5091ea918b5001288a507b112bc0075e68050d9d3008cf2edd9ff0d51f14232333e2dd763b431b |
C:\Users\Admin\Desktop\ExpandSelect.xsl
| MD5 | e68c3449f7693f32d7728d22d60d98bd |
| SHA1 | 60a3d7fb5e6cdcc2f8103ac45f8d7c8ec3f461f6 |
| SHA256 | e077d2f2695c3f87c03669b54847162f2c82bc1f15660c8a39c11f5efb2d8b71 |
| SHA512 | 16a6c8cd7bb89a96fddcbbb87730c8ac26bfd4d5ce9b2be1b3ebe948436a3d90dd9a7e789c3e6c9f923dee8c6ad0335074ca4140900722076879e4f1b3b60af6 |
C:\Users\Admin\Desktop\ExpandRead.001
| MD5 | 2751f95393952c7e9a19bddb0a067589 |
| SHA1 | d8e4875d1d270c3fd7eff354f83d472cc5c4a14a |
| SHA256 | 5b14741e293f26a9c764da825e401a8dba2fd17ff931431adc64658ea2773642 |
| SHA512 | ef3dc123d834bcecd96389badd6e7e085d55f3a9045057ac4d276655a8d36a60593b2357a5bee4940d3e99a2a2123628a1d9375ad87de8312769d18d5855e246 |
C:\Users\Admin\Desktop\ConvertFromSubmit.vsd
| MD5 | fbe10c400f94e0accea60491a52ce6e6 |
| SHA1 | b3b37ef96a2ca05874a5a5b2009ad7b74f07aed8 |
| SHA256 | 479f550d3c1ad9a424c2c71370d80d5f7ac91f5015ea888341f78a0d9a3d102b |
| SHA512 | cb605f54fbb266e815f5aac2609971b5c6e1588d76b86dea7e9bb9b34fb273d5a142b60b0be14919a1e7fbd15d46780554fdcef475359f75be2837d7050b0ab9 |
C:\Users\Admin\Desktop\AddSplit.shtml
| MD5 | c10e394177ae8a694a259fabc1075e4e |
| SHA1 | 7d2fddad3c660c1f7755571659d99e5757953748 |
| SHA256 | 350a4342f282aa90ed172781285ae1d08eeff1166b5efb1e5da2140a0f04444e |
| SHA512 | 4b6585e6ff197756296c5223e3cb06033651619b31039fb4f7a0a7f71d8992b961a2a112e083091d2bcc008f6ba262955c3f044288fe4f089e209e15c5129615 |