Overview

overview

10

Static

static

3

fechas de ...cr.exe

windows7-x64

10

fechas de ...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fechas de pago.scr.exe

  • Size

    239KB

  • MD5

    1f89375dede098a5f59710c111594b8d

  • SHA1

    e782a9abdd7ceed63a6a10b83a16c278400f9b32

  • SHA256

    6f5b287c87ff655d6d07686fc8328e1c7e4dd2ca99caca5c757300a8d4b1940b

  • SHA512

    94e856096bb44e70cd04c308e5f2647cbc64990bb765d40e4e1fae9d1a0b3de3e7cfc6949297ebf19450ed2f11e2754bab55573f1d64ff1d7f599230c01ae960

  • SSDEEP

    6144:QQDn9LAsrPf1xTjlMk1y+fn0fTm6wJm2rrFOI:NDnx/zfjnH1x0fTm6wJm2rrh

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6123.tmp" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1376
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2508
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2552
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:1256
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
        PID:2748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp6123.tmp
      Filesize

      1KB

      MD5

      15353a3bb0a5c558a81376bcdfdc6ad6

      SHA1

      36156e5bd828094aacba26b60214420192009f01

      SHA256

      66d9195ec358a9736be2517f55b02206baa72c2d08512474f474773bbef6ef3a

      SHA512

      331585e484b39553b5bb51745db450f46b1b75c04610eb50d1824a3a25c29c1c235212b52b1772205ce5c80643a77ef78eba3c3999cf2828c3645862e06cabb4

      Download Submit
    • \Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
      Filesize

      239KB

      MD5

      1f89375dede098a5f59710c111594b8d

      SHA1

      e782a9abdd7ceed63a6a10b83a16c278400f9b32

      SHA256

      6f5b287c87ff655d6d07686fc8328e1c7e4dd2ca99caca5c757300a8d4b1940b

      SHA512

      94e856096bb44e70cd04c308e5f2647cbc64990bb765d40e4e1fae9d1a0b3de3e7cfc6949297ebf19450ed2f11e2754bab55573f1d64ff1d7f599230c01ae960

      Download Submit
    • memory/1244-6-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1244-46-0x0000000074C10000-0x00000000752FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1244-50-0x0000000074C10000-0x00000000752FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1244-49-0x0000000074C10000-0x00000000752FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1244-25-0x0000000074C10000-0x00000000752FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1244-8-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2208-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2208-23-0x0000000074C10000-0x00000000752FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2208-2-0x0000000000470000-0x0000000000476000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2208-3-0x0000000074C10000-0x00000000752FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2208-1-0x0000000001110000-0x0000000001150000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2208-5-0x0000000000490000-0x0000000000496000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2208-4-0x0000000000520000-0x000000000055E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/2580-24-0x0000000074C10000-0x00000000752FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2580-16-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2580-33-0x0000000074C10000-0x00000000752FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2692-32-0x0000000001200000-0x0000000001240000-memory.dmp
      Filesize

      256KB

      Download