Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 19:53
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240221-en
General
-
Target
1.exe
-
Size
45KB
-
MD5
4d820f671919b3029173d8659aa59600
-
SHA1
af68a0b9e9c58dcbdd2ede205c30537bca39650c
-
SHA256
c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
-
SHA512
5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
-
SSDEEP
768:1dhO/poiiUcjlJInVZZbH9Xqk5nWEZ5SbTDacuI7CPW5r:Lw+jjgndbH9XqcnW85SbT5uIj
Malware Config
Extracted
xenorat
performance-ha.gl.at.ply.gg
Putty
-
delay
5000
-
install_path
appdata
-
port
33365
-
startup_name
Windows Updater
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 1.exe -
Executes dropped EXE 1 IoCs
pid Process 1460 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4804 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe 1460 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1460 1.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2188 wrote to memory of 1460 2188 1.exe 81 PID 2188 wrote to memory of 1460 2188 1.exe 81 PID 2188 wrote to memory of 1460 2188 1.exe 81 PID 1460 wrote to memory of 4804 1460 1.exe 89 PID 1460 wrote to memory of 4804 1460 1.exe 89 PID 1460 wrote to memory of 4804 1460 1.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4863.tmp" /F3⤵
- Creates scheduled task(s)
PID:4804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD5a0449a13ac1dfc501ac54ec20546041e
SHA1dd10c4d3abb7c4e6ff5abdaa077ad7a114d73bcf
SHA256744a0d8f4918500ee4cb6ec0f6ca5002a7d5809081e00572815a4a96c198b2bb
SHA51283ac2d9b1bcbb3eb201abdfa66d190a07bb11a658eee2b9c9cfe93fb1bd634c6d49d6c97d1deccfe52a9a2f1e3ac61f71432d7e2fc118787059eaa7f8cfcda5f
-
Filesize
45KB
MD54d820f671919b3029173d8659aa59600
SHA1af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA5125db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e