Analysis

  • max time kernel
    1s
  • max time network
    5s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 12:15

General

  • Target

    EnsureRunning.exe

  • Size

    119KB

  • MD5

    69321e94a3a3a6c2cf38446f819b06e8

  • SHA1

    40301c766451893996f6182c3fc2ca2a3c011c6a

  • SHA256

    89ba42920c979ee5083c7cc20c61edcfcb19f62124eab2598994d5274b1538b0

  • SHA512

    1bd987e54cd902218b904503ed502de36898da6697640a79f0b4087c24c643e27afce9dec48f0d6446d3e6e0da9e61f42d5617bba22e5336424c5f3d06fea240

  • SSDEEP

    1536:i7fWw+jjgnJ2H9XqcnW85SbThuIkKuZ+8uZ3nV5XS65mkrPZ58kzQ+e+e+g+:i7Ow+jqJ491UbTh3h7J7M+e+e+g+

Score
10/10

Malware Config

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EnsureRunning.exe
    "C:\Users\Admin\AppData\Local\Temp\EnsureRunning.exe"
    1⤵
      PID:2416
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1128
        2⤵
        • Program crash
        PID:2768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2416 -ip 2416
      1⤵
        PID:2360

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2416-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp

        Filesize

        4KB

      • memory/2416-1-0x0000000000DB0000-0x0000000000DD4000-memory.dmp

        Filesize

        144KB