Overview

overview

10

Static

static

3

odeme tari...cr.exe

windows7-x64

10

odeme tari...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 11:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    odeme tarihleri.scr.exe

  • Size

    240KB

  • MD5

    b41d067615ca60ffe4253297866d79be

  • SHA1

    1aab2b69eb9f918d1e0a23a82a98411709ee2fdb

  • SHA256

    477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c

  • SHA512

    7c5b98c2e3fbdafc0949ca9d32b9c41be044f3b99052e1119472d1999442114ed60d5949929e7b14aa028c77c7adc638ee0507362ab848af7cb4612c9313e29e

  • SSDEEP

    6144:oGB7vPW1gnEHLltCX754KLHrdoBiEd0nJ1iaJC4E2Hjyq3RVlA44I:oOOCnEHXY7ZzreHin7iaJC4E2Hjyq3Rj

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2496
        • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2460
        • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2492
    • C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFA08.tmp" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1092
    • C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe"
      2⤵
        PID:2184

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpFA08.tmp
      Filesize

      1KB

      MD5

      37ec5267dd86eda7ede5ebd12f1e36f1

      SHA1

      44b076789f3b146b984bf38a80ede8a02af969c7

      SHA256

      438b9d04247ca8bea31f6021570568582eb427bc258ad053a09c5c9dadfbfb22

      SHA512

      23c79488911085bf39d31aa3e3be93681e7cc147e8853b88ab1fcee7b334895d575c2afe0d119993879aafdc020385aa7c96991567dd82498eef40061b1359ad

      Download Submit
    • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
      Filesize

      240KB

      MD5

      b41d067615ca60ffe4253297866d79be

      SHA1

      1aab2b69eb9f918d1e0a23a82a98411709ee2fdb

      SHA256

      477ca1add0f03886c3bb29c4f03ffd2aa4d5c2a0fb3346fe46890c25347a8d7c

      SHA512

      7c5b98c2e3fbdafc0949ca9d32b9c41be044f3b99052e1119472d1999442114ed60d5949929e7b14aa028c77c7adc638ee0507362ab848af7cb4612c9313e29e

      Download Submit
    • memory/1276-28-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1276-3-0x00000000005D0000-0x000000000060E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1276-5-0x00000000004E0000-0x00000000004E6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1276-2-0x00000000004B0000-0x00000000004B6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1276-0-0x00000000743DE000-0x00000000743DF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1276-4-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1276-1-0x0000000000A00000-0x0000000000A40000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1940-6-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1940-16-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1940-23-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1940-31-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3000-33-0x0000000000DD0000-0x0000000000E10000-memory.dmp
      Filesize

      256KB

      Download
    • memory/3048-13-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3048-46-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3048-32-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3048-49-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3048-50-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3048-51-0x00000000062A0000-0x000000000639A000-memory.dmp
      Filesize

      1000KB

      Download