Overview

overview

10

Static

static

3

fechas de ...cr.exe

windows7-x64

10

fechas de ...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fechas de pago.scr.exe

  • Size

    240KB

  • MD5

    bcc06a7faf92224142143e13eaf78cf1

  • SHA1

    0be4983558b5b48bf0b1a1ec129cb380939c84ae

  • SHA256

    5fda36bec5b1d5ec526e5b044a6b30b7afa1d0d5465ffa7c470efc9358ebc4b5

  • SHA512

    a21632fa3146aa05a837030c282d1868626b6e4d9e719d0bd7e3ba9c30bc46a72f4757d0c0154324b0ea4bf28c69dc3af89b43cb0df342db798de96a94f29cd4

  • SSDEEP

    6144:0FUE1lHRWN6YrbNgNU7Rg1pbisKZZ6DzR7OYbyjI:0PWN60NIU78pbnKZZ6DzR7OYbl

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:4428
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2640
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:3332
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2630.tmp" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2100
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
        PID:660
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 80
          3⤵
          • Program crash
          PID:3224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 660 -ip 660
      1⤵
        PID:5080

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fechas de pago.scr.exe.log
        Filesize

        522B

        MD5

        8334a471a4b492ece225b471b8ad2fc8

        SHA1

        1cb24640f32d23e8f7800bd0511b7b9c3011d992

        SHA256

        5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

        SHA512

        56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp2630.tmp
        Filesize

        1KB

        MD5

        15353a3bb0a5c558a81376bcdfdc6ad6

        SHA1

        36156e5bd828094aacba26b60214420192009f01

        SHA256

        66d9195ec358a9736be2517f55b02206baa72c2d08512474f474773bbef6ef3a

        SHA512

        331585e484b39553b5bb51745db450f46b1b75c04610eb50d1824a3a25c29c1c235212b52b1772205ce5c80643a77ef78eba3c3999cf2828c3645862e06cabb4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        Filesize

        240KB

        MD5

        bcc06a7faf92224142143e13eaf78cf1

        SHA1

        0be4983558b5b48bf0b1a1ec129cb380939c84ae

        SHA256

        5fda36bec5b1d5ec526e5b044a6b30b7afa1d0d5465ffa7c470efc9358ebc4b5

        SHA512

        a21632fa3146aa05a837030c282d1868626b6e4d9e719d0bd7e3ba9c30bc46a72f4757d0c0154324b0ea4bf28c69dc3af89b43cb0df342db798de96a94f29cd4

        Download Submit
      • memory/1236-13-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1236-54-0x00000000071B0000-0x0000000007430000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/1236-45-0x00000000068A0000-0x00000000068BE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1236-44-0x0000000006C80000-0x00000000071AC000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/1236-43-0x00000000064B0000-0x0000000006500000-memory.dmp
        Filesize

        320KB

        Download
      • memory/1236-42-0x0000000006430000-0x00000000064A6000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1236-41-0x0000000006580000-0x0000000006742000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/1236-15-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1236-40-0x00000000062B0000-0x00000000063AA000-memory.dmp
        Filesize

        1000KB

        Download
      • memory/1236-39-0x0000000006040000-0x00000000060A6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1236-36-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1276-35-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1276-28-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2480-6-0x0000000004CA0000-0x0000000004CA6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2480-3-0x0000000004AE0000-0x0000000004B1E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/2480-1-0x00000000000A0000-0x00000000000E0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2480-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2480-4-0x0000000004CD0000-0x0000000004D6C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2480-14-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2480-5-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2480-2-0x0000000002490000-0x0000000002496000-memory.dmp
        Filesize

        24KB

        Download
      • memory/4560-27-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4560-12-0x0000000074FE0000-0x0000000075790000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/4560-7-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download