Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 20:15
General
-
Target
1.exe
-
Size
45KB
-
MD5
b41a12a0d37ef53287dbd761804a662d
-
SHA1
ed358f847690d011eee6fd4bcb65eef9891fc00a
-
SHA256
fb4597aca89557766465e052c062f6bc33178999c4ae7813f66e090a12f261f4
-
SHA512
372e510b1359045c2bd0dc4f3a613d11d49fcc7f2ce3eff62229536fea32ea420122f1b89ecee76a96d9ca3890353607518592da00bc3efe14937957983d9c22
-
SSDEEP
768:hdhO/poiiUcjlJInt0H9Xqk5nWEZ5SbTDaVuI7CPW55:fw+jjgn2H9XqcnW85SbTouIB
Malware Config
Extracted
xenorat
192.168.100.78
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
nothingset
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 5608 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1.exedescription pid process target process PID 4224 wrote to memory of 5608 4224 1.exe 1.exe PID 4224 wrote to memory of 5608 4224 1.exe 1.exe PID 4224 wrote to memory of 5608 4224 1.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\XenoManager\1.exeFilesize
45KB
MD5b41a12a0d37ef53287dbd761804a662d
SHA1ed358f847690d011eee6fd4bcb65eef9891fc00a
SHA256fb4597aca89557766465e052c062f6bc33178999c4ae7813f66e090a12f261f4
SHA512372e510b1359045c2bd0dc4f3a613d11d49fcc7f2ce3eff62229536fea32ea420122f1b89ecee76a96d9ca3890353607518592da00bc3efe14937957983d9c22
-
memory/4224-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmpFilesize
4KB
-
memory/4224-1-0x0000000000490000-0x00000000004A2000-memory.dmpFilesize
72KB
-
memory/5608-14-0x0000000074D00000-0x00000000754B0000-memory.dmpFilesize
7.7MB
-
memory/5608-15-0x0000000074D00000-0x00000000754B0000-memory.dmpFilesize
7.7MB
-
memory/5608-16-0x0000000074D00000-0x00000000754B0000-memory.dmpFilesize
7.7MB