Analysis Overview
SHA256
8a9ab6c659fa30fc1ac9548bdea3300ab9d829f8a085131aa5e5024f67cacc81
Threat Level: Known bad
The file loader_2.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-02 18:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 18:21
Reported
2024-07-02 18:24
Platform
win10-20240404-en
Max time kernel
142s
Max time network
138s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\loader.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\loader_2.exe
"C:\Users\Admin\AppData\Local\Temp\loader_2.exe"
C:\Users\Admin\AppData\Local\loader.exe
"C:\Users\Admin\AppData\Local\loader.exe"
C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe
"C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "SteamUDPUpdater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp" /F
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query /v /fo csv
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /delete /tn "\SteamUDPUpdater" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| NL | 37.120.141.155:22914 | tcp | |
| NL | 37.120.141.155:22914 | tcp | |
| US | 8.8.8.8:53 | 155.141.120.37.in-addr.arpa | udp |
| NL | 37.120.141.155:22914 | tcp | |
| NL | 37.120.141.155:22914 | tcp | |
| NL | 37.120.141.155:22914 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| NL | 37.120.141.155:22914 | tcp | |
| NL | 37.120.141.155:22914 | tcp | |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\loader.exe
| MD5 | f701562eb6bc2d60da82bb8fe907594e |
| SHA1 | b4a927d39ec3eb6fbf3ff087ee4d23dc9dfc158c |
| SHA256 | 17e8ea093d6505417598efa6d8b888fd164bb1e0006fa2e466c9d20e0dadb859 |
| SHA512 | bf2f37d5764e57195d5688b0fcd179f471605cacb6c1adfaa6abbce821a83217fb9fecd2a28c87253fe4de126aa42e82e79e639359ebdf1a1b7b11ae448a63d2 |
C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe
| MD5 | 9908883bbcee91c29c9086198d8d8146 |
| SHA1 | eae0d98cd5147fe75379c165900f1b07d4970505 |
| SHA256 | 829d1379ee5a8da6b21af8a5c4dd9c262a569847b2664d39f5c415e0dc74c399 |
| SHA512 | 4706586c902c7deaba67a7c58ed60df4960cbee62d63148b05c4d82b83fc685f61201904d09615936d1a505f0ca61cd376a7fe37e19b3570f51c73a740073629 |
memory/3292-10-0x000000007416E000-0x000000007416F000-memory.dmp
memory/3292-11-0x0000000000F70000-0x0000000000F9A000-memory.dmp
memory/2156-12-0x00000000000F0000-0x0000000000112000-memory.dmp
memory/3292-13-0x0000000005CC0000-0x00000000061BE000-memory.dmp
memory/2156-14-0x0000000074160000-0x000000007484E000-memory.dmp
memory/3292-15-0x0000000005860000-0x00000000058F2000-memory.dmp
memory/3292-17-0x0000000074160000-0x000000007484E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SteamUDPUpdater.exe.log
| MD5 | 957779c42144282d8cd83192b8fbc7cf |
| SHA1 | de83d08d2cca06b9ff3d1ef239d6b60b705d25fe |
| SHA256 | 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51 |
| SHA512 | f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd |
memory/3292-23-0x0000000005800000-0x000000000580A000-memory.dmp
memory/2156-25-0x0000000074160000-0x000000007484E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp
| MD5 | 7e03b8c9c7305c78624446dba94eb3a5 |
| SHA1 | 55b4852ba7d35a67e8002a80d7dac120a8ca486f |
| SHA256 | 120dad18a95e7a371e4b00c0afe04670ba14112945c557e956839eec825545a9 |
| SHA512 | 3902fd679455405018dcf87a9510a2ad5ac29a991b96eb69f4cf49e502ebba19a5b8ee6f875ea0a8d4db7f31c96b8110111163492cd25378c0588279388295c6 |
memory/4604-28-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/3292-29-0x000000007416E000-0x000000007416F000-memory.dmp
memory/3292-30-0x0000000074160000-0x000000007484E000-memory.dmp
memory/4604-31-0x0000000005720000-0x000000000572A000-memory.dmp