Resubmissions

08-06-2024 04:31

240608-e5hmcshh95 10

02-06-2024 08:52

240602-ks7zdahc33 10

Analysis

  • max time kernel
    5s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08-06-2024 04:31

General

  • Target

    incognitobeta.exe

  • Size

    45KB

  • MD5

    e9fc233c0a49d897c3d5d86350986f19

  • SHA1

    fa122e95d3b34518aff46efac9e7f56926b64e40

  • SHA256

    b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f

  • SHA512

    de06a67f60959efb9bd89066b81e3ad788b1b49ae10ac19269914470fa7605bea95e3f98e348d2df67baf0efe310b6c2333c29e1d0ca2e6071db185aafecebd4

  • SSDEEP

    768:hdhO/poiiUcjlJIn8tUH9Xqk5nWEZ5SbTDaaWI7CPW5Z:fw+jjgn6UH9XqcnW85SbTjWIh

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

incognito

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    USBsupervisor

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\incognitobeta.exe
    "C:\Users\Admin\AppData\Local\Temp\incognitobeta.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe"
      2⤵
      • Executes dropped EXE
      PID:4988
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "USBsupervisor" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72AF.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\incognitobeta.exe.log

    Filesize

    226B

    MD5

    957779c42144282d8cd83192b8fbc7cf

    SHA1

    de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

    SHA256

    0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

    SHA512

    f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe

    Filesize

    45KB

    MD5

    e9fc233c0a49d897c3d5d86350986f19

    SHA1

    fa122e95d3b34518aff46efac9e7f56926b64e40

    SHA256

    b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f

    SHA512

    de06a67f60959efb9bd89066b81e3ad788b1b49ae10ac19269914470fa7605bea95e3f98e348d2df67baf0efe310b6c2333c29e1d0ca2e6071db185aafecebd4

  • C:\Users\Admin\AppData\Local\Temp\tmp72AF.tmp

    Filesize

    1KB

    MD5

    0ee58773051bcc7078f9f29474b1eadd

    SHA1

    7f49e6cfd836b54c08f966e32c9f1f5670fe3dfb

    SHA256

    ebc60f1db998381cbe8a1a62ff1fef0516f8ba2b03ca61883de1238581b48338

    SHA512

    3e68474c21230eae6197f5dbd2aa35fe7208fa9fa2f3687cdd5e2f7c3b75272552a85e3979617c00c58a97e2660a3eaee183c8f0c9599f7da2de23ddd72f328c

  • memory/4448-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

    Filesize

    4KB

  • memory/4448-1-0x0000000000170000-0x0000000000182000-memory.dmp

    Filesize

    72KB

  • memory/4988-9-0x0000000073FB0000-0x000000007469E000-memory.dmp

    Filesize

    6.9MB

  • memory/4988-12-0x0000000073FB0000-0x000000007469E000-memory.dmp

    Filesize

    6.9MB

  • memory/4988-13-0x0000000073FB0000-0x000000007469E000-memory.dmp

    Filesize

    6.9MB