Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 19:53
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240221-en
General
-
Target
1.exe
-
Size
45KB
-
MD5
4d820f671919b3029173d8659aa59600
-
SHA1
af68a0b9e9c58dcbdd2ede205c30537bca39650c
-
SHA256
c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
-
SHA512
5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
-
SSDEEP
768:1dhO/poiiUcjlJInVZZbH9Xqk5nWEZ5SbTDacuI7CPW5r:Lw+jjgndbH9XqcnW85SbT5uIj
Malware Config
Extracted
xenorat
performance-ha.gl.at.ply.gg
Putty
-
delay
5000
-
install_path
appdata
-
port
33365
-
startup_name
Windows Updater
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 1.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 1460 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1.exepid process 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1.exedescription pid process Token: SeDebugPrivilege 1460 1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1.exe1.exedescription pid process target process PID 2188 wrote to memory of 1460 2188 1.exe 1.exe PID 2188 wrote to memory of 1460 2188 1.exe 1.exe PID 2188 wrote to memory of 1460 2188 1.exe 1.exe PID 1460 wrote to memory of 4804 1460 1.exe schtasks.exe PID 1460 wrote to memory of 4804 1460 1.exe schtasks.exe PID 1460 wrote to memory of 4804 1460 1.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4863.tmp" /F3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
C:\Users\Admin\AppData\Local\Temp\tmp4863.tmpFilesize
1KB
MD5a0449a13ac1dfc501ac54ec20546041e
SHA1dd10c4d3abb7c4e6ff5abdaa077ad7a114d73bcf
SHA256744a0d8f4918500ee4cb6ec0f6ca5002a7d5809081e00572815a4a96c198b2bb
SHA51283ac2d9b1bcbb3eb201abdfa66d190a07bb11a658eee2b9c9cfe93fb1bd634c6d49d6c97d1deccfe52a9a2f1e3ac61f71432d7e2fc118787059eaa7f8cfcda5f
-
C:\Users\Admin\AppData\Roaming\XenoManager\1.exeFilesize
45KB
MD54d820f671919b3029173d8659aa59600
SHA1af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA5125db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
-
memory/1460-15-0x00000000748B0000-0x0000000075060000-memory.dmpFilesize
7.7MB
-
memory/1460-16-0x00000000748B0000-0x0000000075060000-memory.dmpFilesize
7.7MB
-
memory/1460-19-0x00000000748B0000-0x0000000075060000-memory.dmpFilesize
7.7MB
-
memory/1460-20-0x0000000005C70000-0x0000000005CD6000-memory.dmpFilesize
408KB
-
memory/2188-0-0x00000000748BE000-0x00000000748BF000-memory.dmpFilesize
4KB
-
memory/2188-1-0x0000000000B20000-0x0000000000B32000-memory.dmpFilesize
72KB