Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 19:46
Static task
static1
Behavioral task
behavioral1
Sample
payment.exe
Resource
win7-20240508-en
General
-
Target
payment.exe
-
Size
242KB
-
MD5
eebe7da6234f15c2055ddff4b4da6948
-
SHA1
76dc426d92a7785677d2ab1ac4cf7c1a63f6af48
-
SHA256
5a74ace81656d018cc01e7db0cf24abe072524df6c297fa2081019e89680e5e1
-
SHA512
0e088d5892921d67df1703f5e958a549b32fee13865af459212c0b6fd2f928b8f0534dccf17c1727d7e4fcb6162d90085736f3d58ba801c2fd285d8a9c01abd8
-
SSDEEP
6144:F1gj4ZzsyX3tzfeVcVz3xkQm3S4eWwNZE3UJxI:F1gj4J7feV6Zr9NZE3UJq
Malware Config
Extracted
xenorat
dns.dobiamfollollc.online
Solid_rat_nd8889g
-
delay
61000
-
install_path
appdata
-
port
1283
-
startup_name
bns
Signatures
-
Detects XenoRAT malware 3 IoCs
XenoRAT is an open-source remote access tool (RAT) developed in C#.
Processes:
resource yara_rule behavioral1/memory/3020-16-0x0000000000400000-0x0000000000412000-memory.dmp XenoRAT behavioral1/memory/3020-8-0x0000000000400000-0x0000000000412000-memory.dmp XenoRAT behavioral1/memory/3020-6-0x0000000000400000-0x0000000000412000-memory.dmp XenoRAT -
Executes dropped EXE 4 IoCs
Processes:
payment.exepayment.exepayment.exepayment.exepid process 2712 payment.exe 2728 payment.exe 2460 payment.exe 2948 payment.exe -
Loads dropped DLL 4 IoCs
Processes:
payment.exepayment.exepid process 3020 payment.exe 2712 payment.exe 2712 payment.exe 2712 payment.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
payment.exepayment.exedescription pid process target process PID 2976 set thread context of 3020 2976 payment.exe payment.exe PID 2976 set thread context of 1976 2976 payment.exe payment.exe PID 2976 set thread context of 2684 2976 payment.exe payment.exe PID 2712 set thread context of 2728 2712 payment.exe payment.exe PID 2712 set thread context of 2460 2712 payment.exe payment.exe PID 2712 set thread context of 2948 2712 payment.exe payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment.exepayment.exedescription pid process Token: SeDebugPrivilege 2976 payment.exe Token: SeDebugPrivilege 2712 payment.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
payment.exepayment.exepayment.exepayment.exedescription pid process target process PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 3020 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 1976 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 2976 wrote to memory of 2684 2976 payment.exe payment.exe PID 3020 wrote to memory of 2712 3020 payment.exe payment.exe PID 3020 wrote to memory of 2712 3020 payment.exe payment.exe PID 3020 wrote to memory of 2712 3020 payment.exe payment.exe PID 3020 wrote to memory of 2712 3020 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2728 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2460 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 2712 wrote to memory of 2948 2712 payment.exe payment.exe PID 1976 wrote to memory of 264 1976 payment.exe schtasks.exe PID 1976 wrote to memory of 264 1976 payment.exe schtasks.exe PID 1976 wrote to memory of 264 1976 payment.exe schtasks.exe PID 1976 wrote to memory of 264 1976 payment.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment.exe"C:\Users\Admin\AppData\Local\Temp\payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment.exeC:\Users\Admin\AppData\Local\Temp\payment.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe"C:\Users\Admin\AppData\Roaming\XenoManager\payment.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\payment.exeC:\Users\Admin\AppData\Roaming\XenoManager\payment.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\XenoManager\payment.exeC:\Users\Admin\AppData\Roaming\XenoManager\payment.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\XenoManager\payment.exeC:\Users\Admin\AppData\Roaming\XenoManager\payment.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\payment.exeC:\Users\Admin\AppData\Local\Temp\payment.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "bns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\payment.exeC:\Users\Admin\AppData\Local\Temp\payment.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp166E.tmpFilesize
1KB
MD5d8edaf260103b270a8ddc4c777cfa47b
SHA12ae20729bde4b5e46ec1193e84bd4e46578a283c
SHA256b5e1e4d8e154f0229ad5f58012165f17d6a179889e691bebe679fea314981e77
SHA51295f8a1faa37cf576b352d21f0a5d020a8b36cd63f450fdc68eb1a5e095f58e4a755edc71461a3738f8a5c2de6690d8207ac75e126e8d3a44c7b96940b2f27290
-
\Users\Admin\AppData\Roaming\XenoManager\payment.exeFilesize
242KB
MD5eebe7da6234f15c2055ddff4b4da6948
SHA176dc426d92a7785677d2ab1ac4cf7c1a63f6af48
SHA2565a74ace81656d018cc01e7db0cf24abe072524df6c297fa2081019e89680e5e1
SHA5120e088d5892921d67df1703f5e958a549b32fee13865af459212c0b6fd2f928b8f0534dccf17c1727d7e4fcb6162d90085736f3d58ba801c2fd285d8a9c01abd8
-
memory/1976-21-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/1976-49-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/1976-48-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/1976-45-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/2712-28-0x0000000000140000-0x0000000000186000-memory.dmpFilesize
280KB
-
memory/2976-4-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/2976-20-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/2976-5-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/2976-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmpFilesize
4KB
-
memory/2976-3-0x00000000003D0000-0x0000000000410000-memory.dmpFilesize
256KB
-
memory/2976-2-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/2976-1-0x0000000000DE0000-0x0000000000E26000-memory.dmpFilesize
280KB
-
memory/3020-6-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3020-19-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/3020-8-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3020-16-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3020-29-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB