Overview

overview

10

Static

static

3

payment.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    265s
  • max time network
    269s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment.exe

  • Size

    242KB

  • MD5

    eebe7da6234f15c2055ddff4b4da6948

  • SHA1

    76dc426d92a7785677d2ab1ac4cf7c1a63f6af48

  • SHA256

    5a74ace81656d018cc01e7db0cf24abe072524df6c297fa2081019e89680e5e1

  • SHA512

    0e088d5892921d67df1703f5e958a549b32fee13865af459212c0b6fd2f928b8f0534dccf17c1727d7e4fcb6162d90085736f3d58ba801c2fd285d8a9c01abd8

  • SSDEEP

    6144:F1gj4ZzsyX3tzfeVcVz3xkQm3S4eWwNZE3UJxI:F1gj4J7feV6Zr9NZE3UJq

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

dns.dobiamfollollc.online

Mutex

Solid_rat_nd8889g

Attributes
  • delay

    61000

  • install_path

    appdata

  • port

    1283

  • startup_name

    bns

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment.exe
    "C:\Users\Admin\AppData\Local\Temp\payment.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\payment.exe
      C:\Users\Admin\AppData\Local\Temp\payment.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1860
        • C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe
          C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe
          4⤵
          • Executes dropped EXE
          PID:1840
        • C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe
          C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe
          4⤵
          • Executes dropped EXE
          PID:4556
        • C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe
          C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe
          4⤵
          • Executes dropped EXE
          PID:1948
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 156
            5⤵
            • Program crash
            PID:3056
    • C:\Users\Admin\AppData\Local\Temp\payment.exe
      C:\Users\Admin\AppData\Local\Temp\payment.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32B3.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:2756
    • C:\Users\Admin\AppData\Local\Temp\payment.exe
      C:\Users\Admin\AppData\Local\Temp\payment.exe
      2⤵
        PID:4236
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1948 -ip 1948
      1⤵
        PID:4896

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment.exe.log
        Filesize

        706B

        MD5

        d95c58e609838928f0f49837cab7dfd2

        SHA1

        55e7139a1e3899195b92ed8771d1ca2c7d53c916

        SHA256

        0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

        SHA512

        405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp32B3.tmp
        Filesize

        1KB

        MD5

        d8edaf260103b270a8ddc4c777cfa47b

        SHA1

        2ae20729bde4b5e46ec1193e84bd4e46578a283c

        SHA256

        b5e1e4d8e154f0229ad5f58012165f17d6a179889e691bebe679fea314981e77

        SHA512

        95f8a1faa37cf576b352d21f0a5d020a8b36cd63f450fdc68eb1a5e095f58e4a755edc71461a3738f8a5c2de6690d8207ac75e126e8d3a44c7b96940b2f27290

        Download Submit
      • C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe
        Filesize

        242KB

        MD5

        eebe7da6234f15c2055ddff4b4da6948

        SHA1

        76dc426d92a7785677d2ab1ac4cf7c1a63f6af48

        SHA256

        5a74ace81656d018cc01e7db0cf24abe072524df6c297fa2081019e89680e5e1

        SHA512

        0e088d5892921d67df1703f5e958a549b32fee13865af459212c0b6fd2f928b8f0534dccf17c1727d7e4fcb6162d90085736f3d58ba801c2fd285d8a9c01abd8

        Download Submit
      • memory/556-36-0x0000000075010000-0x00000000757C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/556-18-0x0000000075010000-0x00000000757C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/556-16-0x0000000075010000-0x00000000757C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1436-4-0x0000000005160000-0x00000000051A0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1436-7-0x000000000DED0000-0x000000000DF62000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1436-8-0x00000000012C0000-0x00000000012C6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1436-6-0x000000000E3E0000-0x000000000E984000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1436-5-0x000000000DD90000-0x000000000DE2C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/1436-17-0x0000000075010000-0x00000000757C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1436-0-0x000000007501E000-0x000000007501F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1436-3-0x0000000075010000-0x00000000757C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1436-2-0x0000000001300000-0x0000000001306000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1436-1-0x00000000006E0000-0x0000000000726000-memory.dmp
        Filesize

        280KB

        Download
      • memory/2328-9-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2328-14-0x0000000075010000-0x00000000757C0000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2328-29-0x0000000075010000-0x00000000757C0000-memory.dmp
        Filesize

        7.7MB

        Download