xenorat | c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0

Analysis

max time kernel
133s
max time network
147s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
Size

45KB
MD5

4d820f671919b3029173d8659aa59600
SHA1

af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256

c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA512

5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e
SSDEEP

768:1dhO/poiiUcjlJInVZZbH9Xqk5nWEZ5SbTDacuI7CPW5r:Lw+jjgndbH9XqcnW85SbT5uIj

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

performance-ha.gl.at.ply.gg

Mutex

Putty

Attributes

delay
5000
install_path
appdata
port
33365
startup_name
Windows Updater

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Executes dropped EXE 1 IoCs

Processes:

4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

pid process

2388 4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
Loads dropped DLL 1 IoCs

Processes:

4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

pid process

2208 4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2708 schtasks.exe

pid	process
2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

pid	process
2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

pid	process
2708	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe

description	pid	process	target process
PID 2208 wrote to memory of 2388	2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
PID 2208 wrote to memory of 2388	2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
PID 2208 wrote to memory of 2388	2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
PID 2208 wrote to memory of 2388	2208	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
PID 2388 wrote to memory of 2708	2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	schtasks.exe
PID 2388 wrote to memory of 2708	2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	schtasks.exe
PID 2388 wrote to memory of 2708	2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	schtasks.exe
PID 2388 wrote to memory of 2708	2388	4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Roaming\XenoManager\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6799.tmp" /F
3⤵
- Creates scheduled task(s)
PID:2708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6799.tmp
Filesize
1KB

MD5
0d5998d519bdbcdfea1035fa184520df

SHA1
d882478fd45a0dd33c2055367b46c171951523fc

SHA256
27b13c8dd72e744aa6b19ef575148b06ff34adfa18e6d4b59872019ac66322f0

SHA512
9c87e5a1a0b91d35aea917ccedb54a4a1e44ff44a58cb706f8086d626023e4391dbc76585cefc607f27d84b35c3b69f8fe4f68e13e1165e10189fe1f657aa47d

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\4d820f671919b3029173d8659aa59600_NeikiAnalytics.exe
Filesize
45KB

MD5
4d820f671919b3029173d8659aa59600

SHA1
af68a0b9e9c58dcbdd2ede205c30537bca39650c

SHA256
c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0

SHA512
5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e

Download Submit
memory/2208-0-0x00000000742BE000-0x00000000742BF000-memory.dmp

Filesize
4KB

Download
memory/2208-1-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2388-9-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2388-10-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-13-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-14-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-15-0x00000000742B0000-0x000000007499E000-memory.dmp

Filesize
6.9MB

Download