Overview

overview

10

Static

static

3

odeme tari...cr.exe

windows7-x64

10

odeme tari...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    odeme tarihleri.scr.exe

  • Size

    240KB

  • MD5

    bb4b3fd0c725a96ba871f77f9604fa69

  • SHA1

    0b3926a1a98b87938b94f8ffd511f7319a576990

  • SHA256

    c3e5a543f13e20484325ba5a08fd8993880f8282ed5a40e30c97fcf2aea91fa1

  • SHA512

    cce99d6730ba2de4bd530fca0f31c3d702fecc55370e135915dec69415484335879c0e07cb2a406266a4aed641e57c631b27ce7ff30198a23038f25ae0296a63

  • SSDEEP

    6144:GVjndzqytMhsZAEO66joa7ZgVtgv5T7K9YWs1NExcl+Vk+jI:FyasZAEB6jo++VSv569YWs1NExcl+Vkt

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe"
      2⤵
        PID:2824
      • C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3264
        • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4956
          • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
            "C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe"
            4⤵
            • Executes dropped EXE
            PID:1052
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 80
              5⤵
              • Program crash
              PID:5100
          • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
            "C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe"
            4⤵
            • Executes dropped EXE
            PID:1088
          • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
            "C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe"
            4⤵
            • Executes dropped EXE
            PID:3632
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 80
              5⤵
              • Program crash
              PID:4916
      • C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\odeme tarihleri.scr.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3767.tmp" /F
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3632 -ip 3632
      1⤵
        PID:4228
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1052 -ip 1052
        1⤵
          PID:1444

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\odeme tarihleri.scr.exe.log
          Filesize

          522B

          MD5

          8334a471a4b492ece225b471b8ad2fc8

          SHA1

          1cb24640f32d23e8f7800bd0511b7b9c3011d992

          SHA256

          5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

          SHA512

          56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp3767.tmp
          Filesize

          1KB

          MD5

          37ec5267dd86eda7ede5ebd12f1e36f1

          SHA1

          44b076789f3b146b984bf38a80ede8a02af969c7

          SHA256

          438b9d04247ca8bea31f6021570568582eb427bc258ad053a09c5c9dadfbfb22

          SHA512

          23c79488911085bf39d31aa3e3be93681e7cc147e8853b88ab1fcee7b334895d575c2afe0d119993879aafdc020385aa7c96991567dd82498eef40061b1359ad

          Download Submit
        • C:\Users\Admin\AppData\Roaming\XenoManager\odeme tarihleri.scr.exe
          Filesize

          240KB

          MD5

          bb4b3fd0c725a96ba871f77f9604fa69

          SHA1

          0b3926a1a98b87938b94f8ffd511f7319a576990

          SHA256

          c3e5a543f13e20484325ba5a08fd8993880f8282ed5a40e30c97fcf2aea91fa1

          SHA512

          cce99d6730ba2de4bd530fca0f31c3d702fecc55370e135915dec69415484335879c0e07cb2a406266a4aed641e57c631b27ce7ff30198a23038f25ae0296a63

          Download Submit
        • memory/1568-6-0x0000000004BA0000-0x0000000004BA6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1568-4-0x0000000004B60000-0x0000000004B9E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/1568-5-0x0000000005F30000-0x0000000005FCC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/1568-0-0x0000000074F5E000-0x0000000074F5F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1568-3-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1568-17-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/1568-1-0x0000000000130000-0x0000000000170000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1568-2-0x0000000004B50000-0x0000000004B56000-memory.dmp
          Filesize

          24KB

          Download
        • memory/2824-7-0x0000000000400000-0x0000000000412000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2824-11-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2824-15-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3264-14-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3264-29-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/5092-18-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/5092-36-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/5092-16-0x0000000074F50000-0x0000000075700000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/5092-39-0x00000000055D0000-0x0000000005636000-memory.dmp
          Filesize

          408KB

          Download
        • memory/5092-40-0x0000000005C60000-0x0000000005D5A000-memory.dmp
          Filesize

          1000KB

          Download
        • memory/5092-41-0x0000000005F30000-0x00000000060F2000-memory.dmp
          Filesize

          1.8MB

          Download
        • memory/5092-43-0x0000000005E60000-0x0000000005EB0000-memory.dmp
          Filesize

          320KB

          Download
        • memory/5092-42-0x0000000005DE0000-0x0000000005E56000-memory.dmp
          Filesize

          472KB

          Download
        • memory/5092-44-0x0000000006630000-0x0000000006B5C000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/5092-45-0x0000000006220000-0x000000000623E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/5092-54-0x0000000006B60000-0x0000000006DE0000-memory.dmp
          Filesize

          2.5MB

          Download