Malware Analysis Report

2024-08-06 18:12

Sample ID 240702-zk9wbssgjm
Target loader_2.exe
SHA256 8a9ab6c659fa30fc1ac9548bdea3300ab9d829f8a085131aa5e5024f67cacc81
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a9ab6c659fa30fc1ac9548bdea3300ab9d829f8a085131aa5e5024f67cacc81

Threat Level: Known bad

The file loader_2.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-02 20:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 20:47

Reported

2024-07-02 20:48

Platform

win10-20240404-en

Max time kernel

27s

Max time network

28s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader_2.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\loader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3748 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\loader_2.exe C:\Users\Admin\AppData\Local\loader.exe
PID 3748 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\loader_2.exe C:\Users\Admin\AppData\Local\loader.exe
PID 3748 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\loader_2.exe C:\Users\Admin\AppData\Local\loader.exe
PID 3748 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\loader_2.exe C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe
PID 3748 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\loader_2.exe C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe
PID 3748 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\loader_2.exe C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe
PID 312 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe
PID 312 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe
PID 312 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe
PID 4924 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe C:\Windows\SysWOW64\schtasks.exe
PID 4924 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\loader_2.exe

"C:\Users\Admin\AppData\Local\Temp\loader_2.exe"

C:\Users\Admin\AppData\Local\loader.exe

"C:\Users\Admin\AppData\Local\loader.exe"

C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe

"C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\SteamUDPUpdater.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "SteamUDPUpdater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp806B.tmp" /F

Network

Country Destination Domain Proto
NL 37.120.141.155:22914 tcp
NL 37.120.141.155:22914 tcp
US 8.8.8.8:53 155.141.120.37.in-addr.arpa udp
NL 37.120.141.155:22914 tcp
NL 37.120.141.155:22914 tcp

Files

C:\Users\Admin\AppData\Local\loader.exe

MD5 f701562eb6bc2d60da82bb8fe907594e
SHA1 b4a927d39ec3eb6fbf3ff087ee4d23dc9dfc158c
SHA256 17e8ea093d6505417598efa6d8b888fd164bb1e0006fa2e466c9d20e0dadb859
SHA512 bf2f37d5764e57195d5688b0fcd179f471605cacb6c1adfaa6abbce821a83217fb9fecd2a28c87253fe4de126aa42e82e79e639359ebdf1a1b7b11ae448a63d2

C:\Users\Admin\AppData\Local\SteamUDPUpdater.exe

MD5 9908883bbcee91c29c9086198d8d8146
SHA1 eae0d98cd5147fe75379c165900f1b07d4970505
SHA256 829d1379ee5a8da6b21af8a5c4dd9c262a569847b2664d39f5c415e0dc74c399
SHA512 4706586c902c7deaba67a7c58ed60df4960cbee62d63148b05c4d82b83fc685f61201904d09615936d1a505f0ca61cd376a7fe37e19b3570f51c73a740073629

memory/312-10-0x000000007311E000-0x000000007311F000-memory.dmp

memory/312-11-0x0000000000FE0000-0x0000000001002000-memory.dmp

memory/224-12-0x0000000000540000-0x000000000056A000-memory.dmp

memory/224-14-0x0000000005320000-0x000000000581E000-memory.dmp

memory/224-13-0x0000000073110000-0x00000000737FE000-memory.dmp

memory/224-15-0x0000000004E20000-0x0000000004EB2000-memory.dmp

memory/224-17-0x0000000073110000-0x00000000737FE000-memory.dmp

memory/224-18-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SteamUDPUpdater.exe.log

MD5 957779c42144282d8cd83192b8fbc7cf
SHA1 de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA256 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512 f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

C:\Users\Admin\AppData\Local\Temp\tmp806B.tmp

MD5 7e03b8c9c7305c78624446dba94eb3a5
SHA1 55b4852ba7d35a67e8002a80d7dac120a8ca486f
SHA256 120dad18a95e7a371e4b00c0afe04670ba14112945c557e956839eec825545a9
SHA512 3902fd679455405018dcf87a9510a2ad5ac29a991b96eb69f4cf49e502ebba19a5b8ee6f875ea0a8d4db7f31c96b8110111163492cd25378c0588279388295c6

memory/4924-27-0x0000000005EE0000-0x0000000005F46000-memory.dmp

memory/224-29-0x0000000073110000-0x00000000737FE000-memory.dmp

memory/4924-30-0x0000000005AB0000-0x0000000005ABA000-memory.dmp