Analysis

  • max time kernel
    70s
  • max time network
    78s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 11:47

General

  • Target

    again.exe

  • Size

    45KB

  • MD5

    d315594aa686dfca1d10869c3c2a44cf

  • SHA1

    16590fcebdac3382dbcd8756813a83e5662f68bd

  • SHA256

    fb86d28847ee49fa9a05b08a5d8a064b5883801233f13682761451f93314d4ad

  • SHA512

    6515e84c49dc91881d25e18650a0ed738db0c3a0fdc25b946c040ca34320786e9f9dd48876b06d7acf601e16f9dfb4f3946601cf79a80cdb2328eddebca69b86

  • SSDEEP

    768:RdhO/poiiUcjlJInRTwH9Xqk5nWEZ5SbTDaRWI7CPW5s:Pw+jjgnCH9XqcnW85SbTgWI0

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

10.129.120.194

Mutex

skibidi_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4782

  • startup_name

    skibidi

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\again.exe
    "C:\Users\Admin\AppData\Local\Temp\again.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Users\Admin\AppData\Roaming\XenoManager\again.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\again.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "skibidi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83C6.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:4556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\again.exe.log

    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

  • C:\Users\Admin\AppData\Local\Temp\tmp83C6.tmp

    Filesize

    1KB

    MD5

    4a62209cdedfc42731224511b658bcb8

    SHA1

    087b4da43d98743393f3447d3c57332ab1d1cb3e

    SHA256

    cea13f60bd9a0160c6866d142d539308c0efb4a1db670dfc116c7ec03eb53ca3

    SHA512

    07e13b4b617a75aa3c5488294ce189bdc06b073bcf4ab34fe52ef9f8a7453e2ea75bd746da8e0d9e633c67577c6a156bf3013c949f3a8531a17db1e2023083b6

  • C:\Users\Admin\AppData\Roaming\XenoManager\again.exe

    Filesize

    45KB

    MD5

    d315594aa686dfca1d10869c3c2a44cf

    SHA1

    16590fcebdac3382dbcd8756813a83e5662f68bd

    SHA256

    fb86d28847ee49fa9a05b08a5d8a064b5883801233f13682761451f93314d4ad

    SHA512

    6515e84c49dc91881d25e18650a0ed738db0c3a0fdc25b946c040ca34320786e9f9dd48876b06d7acf601e16f9dfb4f3946601cf79a80cdb2328eddebca69b86

  • memory/1100-15-0x00000000743C0000-0x0000000074B70000-memory.dmp

    Filesize

    7.7MB

  • memory/1100-18-0x00000000743C0000-0x0000000074B70000-memory.dmp

    Filesize

    7.7MB

  • memory/5016-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

    Filesize

    4KB

  • memory/5016-1-0x00000000003C0000-0x00000000003D2000-memory.dmp

    Filesize

    72KB