xenorat | e14f83f496f96f58075deae2c450b12c8c780bfae94365a5b04dfe0a03f92e69

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hujwczce.exe
Size

45KB
MD5

7522192509639b3bf54c9b5a7dd30f70
SHA1

4abd199f210efc9ea865f219b88909060632d93e
SHA256

e14f83f496f96f58075deae2c450b12c8c780bfae94365a5b04dfe0a03f92e69
SHA512

fbf8fcbe77fd7f69e555731725ce5e474906f01d2c6b7bb325557a33de60fc9d440bfafbe6920e01a4964f50a240523ab9765f6ca4ce4c767f6fa02bd1148e57
SSDEEP

768:9dhO/poiiUcjlJInuzo4mH9Xqk5nWEZ5SbTDauWI7CPW5A:zw+jjgnH4mH9XqcnW85SbTPWIY

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

213.238.75.199

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
4444
startup_name
Windows Updater

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hujwczce.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	hujwczce.exe

Executes dropped EXE 1 IoCs

Processes:

hujwczce.exe

pid process

3020 hujwczce.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1256 schtasks.exe

pid	process
3020	hujwczce.exe

pid	process
1256	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

hujwczce.exehujwczce.exe

description	pid	process	target process
PID 1800 wrote to memory of 3020	1800	hujwczce.exe	hujwczce.exe
PID 1800 wrote to memory of 3020	1800	hujwczce.exe	hujwczce.exe
PID 1800 wrote to memory of 3020	1800	hujwczce.exe	hujwczce.exe
PID 3020 wrote to memory of 1256	3020	hujwczce.exe	schtasks.exe
PID 3020 wrote to memory of 1256	3020	hujwczce.exe	schtasks.exe
PID 3020 wrote to memory of 1256	3020	hujwczce.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\hujwczce.exe
"C:\Users\Admin\AppData\Local\Temp\hujwczce.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\XenoManager\hujwczce.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\hujwczce.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47F.tmp" /F
3⤵
- Creates scheduled task(s)
PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:4544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XenoManager\hujwczce.exe
Filesize
45KB

MD5
7522192509639b3bf54c9b5a7dd30f70

SHA1
4abd199f210efc9ea865f219b88909060632d93e

SHA256
e14f83f496f96f58075deae2c450b12c8c780bfae94365a5b04dfe0a03f92e69

SHA512
fbf8fcbe77fd7f69e555731725ce5e474906f01d2c6b7bb325557a33de60fc9d440bfafbe6920e01a4964f50a240523ab9765f6ca4ce4c767f6fa02bd1148e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47F.tmp
Filesize
1KB

MD5
8a938f147139b5a2224cfc733842a7ae

SHA1
f3e3cfaa5d660fcb00b882a240b1ccf6788f4696

SHA256
fa700b1442dbbc3ede544df3540cca5f3a8aec1e8aed97428afbd7082eaa5e92

SHA512
1c34770175150de118d9b2cf8bde92cc2a30f2c9e228498fc0c67d1498211487c71a4239fbd196c38026339dc669002f9328bf674c5904fc88a63a9b8abe0954

Download Submit
memory/1800-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/1800-1-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/3020-14-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3020-15-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3020-18-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download