Overview

overview

10

Static

static

3

fechas de ...cr.exe

windows7-x64

10

fechas de ...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fechas de pago.scr.exe

  • Size

    239KB

  • MD5

    1f89375dede098a5f59710c111594b8d

  • SHA1

    e782a9abdd7ceed63a6a10b83a16c278400f9b32

  • SHA256

    6f5b287c87ff655d6d07686fc8328e1c7e4dd2ca99caca5c757300a8d4b1940b

  • SHA512

    94e856096bb44e70cd04c308e5f2647cbc64990bb765d40e4e1fae9d1a0b3de3e7cfc6949297ebf19450ed2f11e2754bab55573f1d64ff1d7f599230c01ae960

  • SSDEEP

    6144:QQDn9LAsrPf1xTjlMk1y+fn0fTm6wJm2rrFOI:NDnx/zfjnH1x0fTm6wJm2rrh

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5008
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:1168
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2536
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:3512
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
        PID:3596
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 80
          3⤵
          • Program crash
          PID:1056
      • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4092
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56A7.tmp" /F
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3596 -ip 3596
      1⤵
        PID:3464

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fechas de pago.scr.exe.log
        Filesize

        522B

        MD5

        8334a471a4b492ece225b471b8ad2fc8

        SHA1

        1cb24640f32d23e8f7800bd0511b7b9c3011d992

        SHA256

        5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

        SHA512

        56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\f3n1odhu.ov1
        Filesize

        152KB

        MD5

        73bd1e15afb04648c24593e8ba13e983

        SHA1

        4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

        SHA256

        aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

        SHA512

        6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sra2tgk4.3hk
        Filesize

        124KB

        MD5

        9618e15b04a4ddb39ed6c496575f6f95

        SHA1

        1c28f8750e5555776b3c80b187c5d15a443a7412

        SHA256

        a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

        SHA512

        f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp56A7.tmp
        Filesize

        1KB

        MD5

        15353a3bb0a5c558a81376bcdfdc6ad6

        SHA1

        36156e5bd828094aacba26b60214420192009f01

        SHA256

        66d9195ec358a9736be2517f55b02206baa72c2d08512474f474773bbef6ef3a

        SHA512

        331585e484b39553b5bb51745db450f46b1b75c04610eb50d1824a3a25c29c1c235212b52b1772205ce5c80643a77ef78eba3c3999cf2828c3645862e06cabb4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        Filesize

        239KB

        MD5

        1f89375dede098a5f59710c111594b8d

        SHA1

        e782a9abdd7ceed63a6a10b83a16c278400f9b32

        SHA256

        6f5b287c87ff655d6d07686fc8328e1c7e4dd2ca99caca5c757300a8d4b1940b

        SHA512

        94e856096bb44e70cd04c308e5f2647cbc64990bb765d40e4e1fae9d1a0b3de3e7cfc6949297ebf19450ed2f11e2754bab55573f1d64ff1d7f599230c01ae960

        Download Submit

      • memory/2840-11-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2840-7-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2840-26-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3508-6-0x00000000023A0000-0x00000000023A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3508-4-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3508-5-0x0000000007FA0000-0x000000000803C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3508-13-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3508-3-0x0000000004AB0000-0x0000000004AEE000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3508-2-0x0000000002320000-0x0000000002326000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3508-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3508-1-0x0000000000180000-0x00000000001C0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/4092-40-0x0000000006560000-0x0000000006722000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4092-35-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4092-38-0x0000000006020000-0x0000000006086000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4092-39-0x0000000006290000-0x000000000638A000-memory.dmp

        Filesize

        1000KB

        Download

      • memory/4092-41-0x0000000006410000-0x0000000006486000-memory.dmp

        Filesize

        472KB

        Download

      • memory/4092-42-0x0000000006490000-0x00000000064E0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4092-43-0x0000000006C60000-0x000000000718C000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4092-44-0x0000000006880000-0x000000000689E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4092-14-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4092-12-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5008-34-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5008-27-0x0000000074EA0000-0x0000000075650000-memory.dmp

        Filesize

        7.7MB

        Download