Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 20:03
Behavioral task
behavioral1
Sample
1245.exe
Resource
win7-20240508-en
General
-
Target
1245.exe
-
Size
45KB
-
MD5
7302cc01869548ae491f52a9a37a6bb2
-
SHA1
9450bd5b7d14408e058f16d2305cda6f1ebd102e
-
SHA256
7c4c85dc3b36fcec57a3eb5a21eacf1e9cff0745c25c317036b927cb85d24182
-
SHA512
3a6bd57ab2d30414521f1e0ef918e158b18dabbca9d68dd35a99bb3e97e0e3982d11e496354dbdbe3a65395d5bb1195a77d657d25f40185bbe795883b4de5754
-
SSDEEP
768:ddhO/poiiUcjlJInSzH9Xqk5nWEZ5SbTDaVWI7CPW52:Tw+jjgnAH9XqcnW85SbT8WI+
Malware Config
Extracted
xenorat
192.168.100.78
Putty
-
delay
5000
-
install_path
appdata
-
port
4782
-
startup_name
Windows Updater
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
1245.exepid process 2936 1245.exe -
Loads dropped DLL 1 IoCs
Processes:
1245.exepid process 2972 1245.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1245.exe1245.exedescription pid process target process PID 2972 wrote to memory of 2936 2972 1245.exe 1245.exe PID 2972 wrote to memory of 2936 2972 1245.exe 1245.exe PID 2972 wrote to memory of 2936 2972 1245.exe 1245.exe PID 2972 wrote to memory of 2936 2972 1245.exe 1245.exe PID 2936 wrote to memory of 2608 2936 1245.exe schtasks.exe PID 2936 wrote to memory of 2608 2936 1245.exe schtasks.exe PID 2936 wrote to memory of 2608 2936 1245.exe schtasks.exe PID 2936 wrote to memory of 2608 2936 1245.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1245.exe"C:\Users\Admin\AppData\Local\Temp\1245.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\1245.exe"C:\Users\Admin\AppData\Roaming\XenoManager\1245.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A42.tmp" /F3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3A42.tmpFilesize
1KB
MD530f51eab1590995c6631c409c1d2302d
SHA16eae8dda510b92d8e07b07ca8e6bdde16a4bd9eb
SHA256b57124c0ce19fb6027c746fe08f80b910c7b3bb96fbe15e79ee7d7d12a3a8e30
SHA51287336869268dc5578df2c33afd7166c1c2bd392108a436036671848f32e34446946c5628a785ddd50bc94ba5cc99c94e59685c2f4f47e8d41799efe1e7947b60
-
C:\Users\Admin\AppData\Roaming\XenoManager\1245.exeFilesize
45KB
MD57302cc01869548ae491f52a9a37a6bb2
SHA19450bd5b7d14408e058f16d2305cda6f1ebd102e
SHA2567c4c85dc3b36fcec57a3eb5a21eacf1e9cff0745c25c317036b927cb85d24182
SHA5123a6bd57ab2d30414521f1e0ef918e158b18dabbca9d68dd35a99bb3e97e0e3982d11e496354dbdbe3a65395d5bb1195a77d657d25f40185bbe795883b4de5754
-
memory/2936-9-0x0000000000D80000-0x0000000000D92000-memory.dmpFilesize
72KB
-
memory/2936-10-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/2936-13-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/2936-14-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/2936-15-0x0000000074B30000-0x000000007521E000-memory.dmpFilesize
6.9MB
-
memory/2972-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmpFilesize
4KB
-
memory/2972-1-0x0000000000270000-0x0000000000282000-memory.dmpFilesize
72KB