Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
07-06-2024 20:14
General
-
Target
16937.exe
-
Size
45KB
-
MD5
7302cc01869548ae491f52a9a37a6bb2
-
SHA1
9450bd5b7d14408e058f16d2305cda6f1ebd102e
-
SHA256
7c4c85dc3b36fcec57a3eb5a21eacf1e9cff0745c25c317036b927cb85d24182
-
SHA512
3a6bd57ab2d30414521f1e0ef918e158b18dabbca9d68dd35a99bb3e97e0e3982d11e496354dbdbe3a65395d5bb1195a77d657d25f40185bbe795883b4de5754
-
SSDEEP
768:ddhO/poiiUcjlJInSzH9Xqk5nWEZ5SbTDaVWI7CPW52:Tw+jjgnAH9XqcnW85SbT8WI+
Malware Config
Extracted
xenorat
192.168.100.78
Putty
-
delay
5000
-
install_path
appdata
-
port
4782
-
startup_name
Windows Updater
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 16937.exe -
Executes dropped EXE 1 IoCs
pid Process 3220 16937.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5044 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5064 wrote to memory of 3220 5064 16937.exe 84 PID 5064 wrote to memory of 3220 5064 16937.exe 84 PID 5064 wrote to memory of 3220 5064 16937.exe 84 PID 3220 wrote to memory of 5044 3220 16937.exe 89 PID 3220 wrote to memory of 5044 3220 16937.exe 89 PID 3220 wrote to memory of 5044 3220 16937.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\16937.exe"C:\Users\Admin\AppData\Local\Temp\16937.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Roaming\XenoManager\16937.exe"C:\Users\Admin\AppData\Roaming\XenoManager\16937.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp62E0.tmp" /F3⤵
- Creates scheduled task(s)
PID:5044
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD53387ed92c6d37fb1634bd442f8842f1d
SHA10c586d7001fe90fc1020a7073ea91ab27be58f24
SHA2566d382e661e58aed7c8b40a8ba8d5f48d646cc606747853dfa7217af65eb2276b
SHA5123610059b8c6b8a7dd81cd838957e20525dd45862c3df2e13f96e8d5700e537ec37f9a8df35d1ac9e6a129d84780639b9c8215e6930e4af3a4bbbc6da23913b55
-
Filesize
45KB
MD57302cc01869548ae491f52a9a37a6bb2
SHA19450bd5b7d14408e058f16d2305cda6f1ebd102e
SHA2567c4c85dc3b36fcec57a3eb5a21eacf1e9cff0745c25c317036b927cb85d24182
SHA5123a6bd57ab2d30414521f1e0ef918e158b18dabbca9d68dd35a99bb3e97e0e3982d11e496354dbdbe3a65395d5bb1195a77d657d25f40185bbe795883b4de5754