xenorat | 4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb

Analysis

max time kernel
147s
max time network
136s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
Size

235KB
MD5

edc793f85ad6e90c754a9f0799cc08e3
SHA1

c0a2e36283f9e20219b25dd4e15ec7dc73e7aa71
SHA256

4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb
SHA512

653ffa9b5f36afc61804354d74faf0d15e0ff3db4209a4d688de9c49917966a095b56108da1948e5011b262abd910259977f428d80e407d48a6af07579a6058a
SSDEEP

6144:OGKCONo00JeBH3onZ2q5YUUexxgKR63u9i24NnPdI:OBCy0J+XQZ1xgKR63u9i24NnPG

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

91.92.248.167

Mutex

Wolid_rat_nd8859g

Attributes

delay
60000
install_path
appdata
port
1280
startup_name
cms

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 4 IoCs

pid	Process
2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
1712	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
2212	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
2760	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe

Loads dropped DLL 4 IoCs

pid	Process
3032	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 set thread context of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 set thread context of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 2644 set thread context of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 set thread context of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 set thread context of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1768	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
Token: SeDebugPrivilege	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3020	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	28
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 3032	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	29
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 1280 wrote to memory of 2340	1280	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	30
PID 3032 wrote to memory of 2644	3032	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	31
PID 3032 wrote to memory of 2644	3032	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	31
PID 3032 wrote to memory of 2644	3032	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	31
PID 3032 wrote to memory of 2644	3032	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	31
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 1712	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	32
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2212	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	33
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 2644 wrote to memory of 2760	2644	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	34
PID 1712 wrote to memory of 1768	1712	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	37
PID 1712 wrote to memory of 1768	1712	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	37
PID 1712 wrote to memory of 1768	1712	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	37
PID 1712 wrote to memory of 1768	1712	4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe	37

C:\Users\Admin\AppData\Local\Temp\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
"C:\Users\Admin\AppData\Local\Temp\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
  C:\Users\Admin\AppData\Local\Temp\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
  2⤵
  PID:3020
- C:\Users\Admin\AppData\Local\Temp\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
  C:\Users\Admin\AppData\Local\Temp\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "cms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp" /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
  - - C:\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
      4⤵
      Executes dropped EXE
      PID:2212
  - - C:\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
      4⤵
      Executes dropped EXE
      PID:2760
- C:\Users\Admin\AppData\Local\Temp\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
  C:\Users\Admin\AppData\Local\Temp\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe
  2⤵
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp

Filesize
1KB

MD5
647dbc7f7bc9fe6232fa57660c6d6e8d

SHA1
93a44b5e9506c5a0401349d8628fc107209b6760

SHA256
5b97d4c1ce0ba79f2a8875e69e16049e462b5d53f0d9c501ad6d570154a12caf

SHA512
3cbdff0b2720bba3280f8464a488e6ff947c9237f9abebfddfe48d274f6b0fa7ad6046157431e4528fadd3db8bc98a51d4a53178da1ac3569b0dc30a1888ffc5

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb.exe

Filesize
235KB

MD5
edc793f85ad6e90c754a9f0799cc08e3

SHA1
c0a2e36283f9e20219b25dd4e15ec7dc73e7aa71

SHA256
4d70544594fdd2d04f114222dac0f9a5a21a05a2a3ffd68688cdab8ed93588eb

SHA512
653ffa9b5f36afc61804354d74faf0d15e0ff3db4209a4d688de9c49917966a095b56108da1948e5011b262abd910259977f428d80e407d48a6af07579a6058a

Download Submit
memory/1280-14-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1280-3-0x00000000003A0000-0x00000000003DE000-memory.dmp

Filesize
248KB

Download
memory/1280-4-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/1280-5-0x00000000004E0000-0x00000000004E6000-memory.dmp

Filesize
24KB

Download
memory/1280-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/1280-2-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/1280-1-0x00000000010E0000-0x0000000001120000-memory.dmp

Filesize
256KB

Download
memory/2644-22-0x0000000000A60000-0x0000000000AA0000-memory.dmp

Filesize
256KB

Download
memory/3032-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3032-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3032-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3032-15-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-23-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads