Overview

overview

10

Static

static

3

fechas de ...cr.exe

windows7-x64

10

fechas de ...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fechas de pago.scr.exe

  • Size

    240KB

  • MD5

    bcc06a7faf92224142143e13eaf78cf1

  • SHA1

    0be4983558b5b48bf0b1a1ec129cb380939c84ae

  • SHA256

    5fda36bec5b1d5ec526e5b044a6b30b7afa1d0d5465ffa7c470efc9358ebc4b5

  • SHA512

    a21632fa3146aa05a837030c282d1868626b6e4d9e719d0bd7e3ba9c30bc46a72f4757d0c0154324b0ea4bf28c69dc3af89b43cb0df342db798de96a94f29cd4

  • SSDEEP

    6144:0FUE1lHRWN6YrbNgNU7Rg1pbisKZZ6DzR7OYbyjI:0PWN60NIU78pbnKZZ6DzR7OYbl

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2920
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2640
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56E6.tmp" /F
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1780
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
        PID:2672
      • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
        2⤵
          PID:2060

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp56E6.tmp
        Filesize

        1KB

        MD5

        8c9b557a6488ef9093caaccc60cc4223

        SHA1

        31a072f552d65a4d60ee025b8a70d654d3093009

        SHA256

        5a3ceafb68e10422476e8a783acd0b5881e6a21aa7f951841c54ad3cf138c357

        SHA512

        d07dabd8a01eebc2c10e3a82f157c300e5c2307a3aa5af69ddf8c47408a0f8db98e053204b69cace2da3314605de507b4ba54b010bafec6e8cf3c6de48cbb087

        Download Submit
      • \Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        Filesize

        240KB

        MD5

        bcc06a7faf92224142143e13eaf78cf1

        SHA1

        0be4983558b5b48bf0b1a1ec129cb380939c84ae

        SHA256

        5fda36bec5b1d5ec526e5b044a6b30b7afa1d0d5465ffa7c470efc9358ebc4b5

        SHA512

        a21632fa3146aa05a837030c282d1868626b6e4d9e719d0bd7e3ba9c30bc46a72f4757d0c0154324b0ea4bf28c69dc3af89b43cb0df342db798de96a94f29cd4

        Download Submit
      • memory/1708-6-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1708-23-0x00000000748E0000-0x0000000074FCE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1708-15-0x00000000748E0000-0x0000000074FCE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1708-8-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1708-10-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2444-4-0x0000000000300000-0x000000000033E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/2444-5-0x0000000000350000-0x0000000000356000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2444-14-0x00000000748E0000-0x0000000074FCE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2444-0-0x00000000748EE000-0x00000000748EF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2444-3-0x00000000748E0000-0x0000000074FCE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2444-2-0x00000000003E0000-0x00000000003E6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2444-1-0x0000000000290000-0x00000000002D0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2652-39-0x0000000005C50000-0x0000000005D4A000-memory.dmp
        Filesize

        1000KB

        Download
      • memory/2652-45-0x0000000005FF0000-0x0000000006270000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/2740-22-0x00000000002E0000-0x0000000000320000-memory.dmp
        Filesize

        256KB

        Download