Overview

overview

10

Static

static

3

fechas de ...cr.exe

windows7-x64

10

fechas de ...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fechas de pago.scr.exe

  • Size

    239KB

  • MD5

    3464c6b50ffdf4e9cad35a423868fa17

  • SHA1

    4911e2fd81a78c402c0638b6705e26af73deb3d1

  • SHA256

    85eeb40d3c63e7452b85dd1f64ad8c6a959baf5f392719ee709d8093404782db

  • SHA512

    86750a9c8b4221075fc133301502ebae2d138bc153463afd368afd0999661343d8e0585d72247e0ac000d0a7cf9e6d0e6a167a2eb7ab07abda030cdcc3214394

  • SSDEEP

    6144:ZcGxpvsROEOLDqckHsbCzHGthxud5jJX/bCvqiyXSVI:rvsoDdkHRjSs5/+vqiyXn

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4420
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:1444
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 80
            5⤵
            • Program crash
            PID:2084
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3772
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE877.tmp" /F
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4872
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:5052
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
        PID:3908
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 80
          3⤵
          • Program crash
          PID:2308
      • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
        2⤵
          PID:1212
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 80
            3⤵
            • Program crash
            PID:3380
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1212 -ip 1212
        1⤵
          PID:1576
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
          1⤵
            PID:4556
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1444 -ip 1444
            1⤵
              PID:4832
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
              1⤵
                PID:1004

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fechas de pago.scr.exe.log
                Filesize

                522B

                MD5

                8334a471a4b492ece225b471b8ad2fc8

                SHA1

                1cb24640f32d23e8f7800bd0511b7b9c3011d992

                SHA256

                5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

                SHA512

                56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\1jzjrpbe.dii
                Filesize

                192KB

                MD5

                99f9e1d0e6242010707fea4814c5d1cc

                SHA1

                611cd9346a29f73337cc984f18885c34454e2689

                SHA256

                82d690db648e3899eaef9c74b934da29980758295be66edde20716ce3e108074

                SHA512

                aefcd24d55be3c50585d9c1afcdb05702fdbe08572fbab25e6a48e6ced3239cb7760afc286e6ee16e0fe3d961a9251a19926a34ec3ca81211bd369405a9bbdd4

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\esrcztgs.cvd
                Filesize

                152KB

                MD5

                73bd1e15afb04648c24593e8ba13e983

                SHA1

                4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

                SHA256

                aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

                SHA512

                6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\tmpE877.tmp
                Filesize

                1KB

                MD5

                8c9b557a6488ef9093caaccc60cc4223

                SHA1

                31a072f552d65a4d60ee025b8a70d654d3093009

                SHA256

                5a3ceafb68e10422476e8a783acd0b5881e6a21aa7f951841c54ad3cf138c357

                SHA512

                d07dabd8a01eebc2c10e3a82f157c300e5c2307a3aa5af69ddf8c47408a0f8db98e053204b69cace2da3314605de507b4ba54b010bafec6e8cf3c6de48cbb087

                Download Submit
              • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
                Filesize

                239KB

                MD5

                3464c6b50ffdf4e9cad35a423868fa17

                SHA1

                4911e2fd81a78c402c0638b6705e26af73deb3d1

                SHA256

                85eeb40d3c63e7452b85dd1f64ad8c6a959baf5f392719ee709d8093404782db

                SHA512

                86750a9c8b4221075fc133301502ebae2d138bc153463afd368afd0999661343d8e0585d72247e0ac000d0a7cf9e6d0e6a167a2eb7ab07abda030cdcc3214394

                Download Submit
              • memory/1812-5-0x00000000057A0000-0x000000000583C000-memory.dmp
                Filesize

                624KB

                Download
              • memory/1812-6-0x0000000005460000-0x0000000005466000-memory.dmp
                Filesize

                24KB

                Download
              • memory/1812-2-0x0000000002D60000-0x0000000002D66000-memory.dmp
                Filesize

                24KB

                Download
              • memory/1812-13-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1812-4-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/1812-1-0x0000000000AF0000-0x0000000000B30000-memory.dmp
                Filesize

                256KB

                Download
              • memory/1812-3-0x0000000005420000-0x000000000545E000-memory.dmp
                Filesize

                248KB

                Download
              • memory/1812-0-0x000000007532E000-0x000000007532F000-memory.dmp
                Filesize

                4KB

                Download
              • memory/2772-12-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/2772-7-0x0000000000400000-0x0000000000412000-memory.dmp
                Filesize

                72KB

                Download
              • memory/2772-25-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/3772-40-0x0000000005A70000-0x0000000005B6A000-memory.dmp
                Filesize

                1000KB

                Download
              • memory/3772-36-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/3772-34-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/3772-39-0x0000000005800000-0x0000000005866000-memory.dmp
                Filesize

                408KB

                Download
              • memory/3772-41-0x0000000005D40000-0x0000000005F02000-memory.dmp
                Filesize

                1.8MB

                Download
              • memory/3772-42-0x0000000005C30000-0x0000000005CA6000-memory.dmp
                Filesize

                472KB

                Download
              • memory/3772-43-0x0000000005CB0000-0x0000000005D00000-memory.dmp
                Filesize

                320KB

                Download
              • memory/3772-44-0x0000000006440000-0x000000000696C000-memory.dmp
                Filesize

                5.2MB

                Download
              • memory/3772-45-0x0000000006040000-0x000000000605E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/3908-8-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/4420-35-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/4420-27-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download
              • memory/4420-26-0x0000000075320000-0x0000000075AD0000-memory.dmp
                Filesize

                7.7MB

                Download