xenorat | 1396bfabd8e337f2f2349d0c3fd6f4fdb925adeb2ead8357b61bb0896d9d618a

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sigma.exe
Size

45KB
MD5

04ebe5e1cd3f1f4ac07ccba6c357d5c7
SHA1

71ae4ea691a78283180f2a8a3c44d1f413fa44de
SHA256

1396bfabd8e337f2f2349d0c3fd6f4fdb925adeb2ead8357b61bb0896d9d618a
SHA512

d8f93cdc0c0d19bcf714640f71eb568e93c30b196815002edc719436ad7bddc81b57ec52de2b89109614e049334d445fb11ad564821d9c0bd500bc4535da39ed
SSDEEP

768:ldhO/poiiUcjlJInmjsZ8H9Xqk5nWEZ5SbTDaRuI7CPW5T:7w+jjgnMsZ8H9XqcnW85SbT8uIb

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

147.185.221.19:33365

Mutex

Windows Seciurity

Attributes

delay
5000
install_path
appdata
port
2137
startup_name
WIindows Security

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sigma.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation sigma.exe
Executes dropped EXE 1 IoCs

Processes:

sigma.exe

pid process

1892 sigma.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4460 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	sigma.exe

pid	process
1892	sigma.exe

pid	process
4460	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

sigma.exesigma.exe

description	pid	process	target process
PID 2332 wrote to memory of 1892	2332	sigma.exe	sigma.exe
PID 2332 wrote to memory of 1892	2332	sigma.exe	sigma.exe
PID 2332 wrote to memory of 1892	2332	sigma.exe	sigma.exe
PID 1892 wrote to memory of 4460	1892	sigma.exe	schtasks.exe
PID 1892 wrote to memory of 4460	1892	sigma.exe	schtasks.exe
PID 1892 wrote to memory of 4460	1892	sigma.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\sigma.exe
"C:\Users\Admin\AppData\Local\Temp\sigma.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Roaming\XenoManager\sigma.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\sigma.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "WIindows Security" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5813.tmp" /F
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sigma.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5813.tmp
Filesize
1KB

MD5
66032aa5781de4895154a2b93e15815d

SHA1
3afdb800efb8896b3647de47265c0fb5819eb6ce

SHA256
86cbcaac391b2315640f5205e9787c91d1333fd9ca951e1562f87697563e1979

SHA512
2013c67df8656ac1166378fc210be99a479fb171e059e87653692a66d828bce105e245cf4f317b2b4e9bbc9592956b4290bef82b32030f8dcd55db56fe14de25

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\sigma.exe
Filesize
45KB

MD5
04ebe5e1cd3f1f4ac07ccba6c357d5c7

SHA1
71ae4ea691a78283180f2a8a3c44d1f413fa44de

SHA256
1396bfabd8e337f2f2349d0c3fd6f4fdb925adeb2ead8357b61bb0896d9d618a

SHA512
d8f93cdc0c0d19bcf714640f71eb568e93c30b196815002edc719436ad7bddc81b57ec52de2b89109614e049334d445fb11ad564821d9c0bd500bc4535da39ed

Download Submit
memory/1892-15-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1892-18-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1892-19-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/2332-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/2332-1-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download