Analysis Overview
SHA256
0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3
Threat Level: Known bad
The file Calendario_de_Pago.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-04 11:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-04 11:41
Reported
2024-07-04 11:43
Platform
win7-20240220-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1476 set thread context of 1888 | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe |
| PID 1476 set thread context of 1564 | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe |
| PID 1876 set thread context of 2480 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe |
| PID 1876 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Calendario_de_Pago.exe
"C:\Users\Admin\AppData\Local\Temp\Calendario_de_Pago.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\budshpdig.bat" "
C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
afgsfxf.sfx.exe -pthngaqwscpolkmBuiofxvflfadfdyehngfszafugyRhvqxsHbgnmeYiorhn -dC:\Users\Admin\AppData\Local\Temp
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
"C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe"
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3736.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\budshpdig.bat
| MD5 | 3c7b48100b1343fb5e491b6e25b3f973 |
| SHA1 | c1f0101ce56b77b1e62d5cd8eedb058039a6a6f1 |
| SHA256 | 82af508a479aa7eb3710995954c09308b5610f141f65c57c296b19b2fa218a4b |
| SHA512 | 989df1b3bfea4de6bda4bed0a027dc280d905dbffe6e7573f65b3acfc708f58fce83da939f8952e5ffa4b7c0f539e4a4b16bc409670513a643af95d6147b6108 |
C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
| MD5 | b0f7c04b2eeecc36eaf4b8028f039fca |
| SHA1 | f4215f7f99a94bc0f11caed46fba0f5b6d894bf3 |
| SHA256 | 49189308da7b2d7038fc3cae77c4bffa62420b07ca4b833c85299f82d1e0dbf0 |
| SHA512 | ee91d628a5dd338bad371018f5593d83e246c173b6c6aa8dcca6f5be37b06013417f01a8583baf7379f782c83e836fb385bdb20b5bad79484b8b4c0a407cce27 |
\Users\Admin\AppData\Local\Temp\afgsfxf.exe
| MD5 | e1dc7c5bc0e25c682383ed45a4f1b62d |
| SHA1 | efb65a80c919f0c3b7d20f7e6936c4ed1bc39526 |
| SHA256 | 8698d7bb5416fc8975a61be1f58793bd93ce9a611b0934ba9c1c7bfbd48d5ad6 |
| SHA512 | a194d7142c92ab1de1fc2c35d350a968085e116fa15dfda722c28c597eb33e0548de18717c48d308e6953cfbfc9c10996b2bcbc21ce60e5cb2c43fe860772dfc |
memory/1476-37-0x0000000000CE0000-0x0000000000D24000-memory.dmp
memory/1476-38-0x00000000003F0000-0x00000000003F6000-memory.dmp
memory/1476-39-0x00000000006A0000-0x00000000006DE000-memory.dmp
memory/1476-40-0x0000000000360000-0x0000000000366000-memory.dmp
memory/1888-51-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1888-42-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1888-45-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1876-59-0x0000000000FC0000-0x0000000001004000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3736.tmp
| MD5 | 4ca9b69da92c5e2bccf63c0e57f8888d |
| SHA1 | 3812235f99f0f0685ecf6566816c8d0182601163 |
| SHA256 | 0320bb6bdd7e13012024f1239019036e8707883cc208e2a9d63827568e4ee18e |
| SHA512 | c912aef98bb83d9c6784574b01defd757f49a70079762d94961ee503a46b31502361bb067e345fcad733afd5f06dd00c6f6e8c98e7d010e96a7779ae6fb9853d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-04 11:41
Reported
2024-07-04 11:43
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
143s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Calendario_de_Pago.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4704 set thread context of 448 | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe |
| PID 4704 set thread context of 4732 | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe |
| PID 1352 set thread context of 4464 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe |
| PID 1352 set thread context of 4396 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Calendario_de_Pago.exe
"C:\Users\Admin\AppData\Local\Temp\Calendario_de_Pago.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\budshpdig.bat" "
C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
afgsfxf.sfx.exe -pthngaqwscpolkmBuiofxvflfadfdyehngfszafugyRhvqxsHbgnmeYiorhn -dC:\Users\Admin\AppData\Local\Temp
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
"C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe"
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 80
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
| US | 8.8.8.8:53 | salutoepiesircam.sytes.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\budshpdig.bat
| MD5 | 3c7b48100b1343fb5e491b6e25b3f973 |
| SHA1 | c1f0101ce56b77b1e62d5cd8eedb058039a6a6f1 |
| SHA256 | 82af508a479aa7eb3710995954c09308b5610f141f65c57c296b19b2fa218a4b |
| SHA512 | 989df1b3bfea4de6bda4bed0a027dc280d905dbffe6e7573f65b3acfc708f58fce83da939f8952e5ffa4b7c0f539e4a4b16bc409670513a643af95d6147b6108 |
C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
| MD5 | b0f7c04b2eeecc36eaf4b8028f039fca |
| SHA1 | f4215f7f99a94bc0f11caed46fba0f5b6d894bf3 |
| SHA256 | 49189308da7b2d7038fc3cae77c4bffa62420b07ca4b833c85299f82d1e0dbf0 |
| SHA512 | ee91d628a5dd338bad371018f5593d83e246c173b6c6aa8dcca6f5be37b06013417f01a8583baf7379f782c83e836fb385bdb20b5bad79484b8b4c0a407cce27 |
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
| MD5 | e1dc7c5bc0e25c682383ed45a4f1b62d |
| SHA1 | efb65a80c919f0c3b7d20f7e6936c4ed1bc39526 |
| SHA256 | 8698d7bb5416fc8975a61be1f58793bd93ce9a611b0934ba9c1c7bfbd48d5ad6 |
| SHA512 | a194d7142c92ab1de1fc2c35d350a968085e116fa15dfda722c28c597eb33e0548de18717c48d308e6953cfbfc9c10996b2bcbc21ce60e5cb2c43fe860772dfc |
memory/4704-22-0x0000000000A30000-0x0000000000A74000-memory.dmp
memory/4704-23-0x0000000002D30000-0x0000000002D36000-memory.dmp
memory/4704-25-0x00000000078A0000-0x000000000793C000-memory.dmp
memory/4704-24-0x00000000052C0000-0x00000000052FE000-memory.dmp
memory/4704-26-0x0000000007EF0000-0x0000000008494000-memory.dmp
memory/4704-27-0x0000000007940000-0x00000000079D2000-memory.dmp
memory/4704-28-0x0000000005340000-0x0000000005346000-memory.dmp
memory/448-29-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\afgsfxf.exe.log
| MD5 | d95c58e609838928f0f49837cab7dfd2 |
| SHA1 | 55e7139a1e3899195b92ed8771d1ca2c7d53c916 |
| SHA256 | 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339 |
| SHA512 | 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d |
C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp
| MD5 | 4ca9b69da92c5e2bccf63c0e57f8888d |
| SHA1 | 3812235f99f0f0685ecf6566816c8d0182601163 |
| SHA256 | 0320bb6bdd7e13012024f1239019036e8707883cc208e2a9d63827568e4ee18e |
| SHA512 | c912aef98bb83d9c6784574b01defd757f49a70079762d94961ee503a46b31502361bb067e345fcad733afd5f06dd00c6f6e8c98e7d010e96a7779ae6fb9853d |