Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07/06/2024, 20:15
General
-
Target
1.exe
-
Size
45KB
-
MD5
b41a12a0d37ef53287dbd761804a662d
-
SHA1
ed358f847690d011eee6fd4bcb65eef9891fc00a
-
SHA256
fb4597aca89557766465e052c062f6bc33178999c4ae7813f66e090a12f261f4
-
SHA512
372e510b1359045c2bd0dc4f3a613d11d49fcc7f2ce3eff62229536fea32ea420122f1b89ecee76a96d9ca3890353607518592da00bc3efe14937957983d9c22
-
SSDEEP
768:hdhO/poiiUcjlJInt0H9Xqk5nWEZ5SbTDaVuI7CPW55:fw+jjgn2H9XqcnW85SbTouIB
Malware Config
Extracted
xenorat
192.168.100.78
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
nothingset
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1.exe -
Executes dropped EXE 1 IoCs
pid Process 5608 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4224 wrote to memory of 5608 4224 1.exe 92 PID 4224 wrote to memory of 5608 4224 1.exe 92 PID 4224 wrote to memory of 5608 4224 1.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"2⤵
- Executes dropped EXE
PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5b41a12a0d37ef53287dbd761804a662d
SHA1ed358f847690d011eee6fd4bcb65eef9891fc00a
SHA256fb4597aca89557766465e052c062f6bc33178999c4ae7813f66e090a12f261f4
SHA512372e510b1359045c2bd0dc4f3a613d11d49fcc7f2ce3eff62229536fea32ea420122f1b89ecee76a96d9ca3890353607518592da00bc3efe14937957983d9c22