Overview

overview

10

Static

static

3

fechas de ...cr.exe

windows7-x64

10

fechas de ...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 11:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fechas de pago.scr.exe

  • Size

    240KB

  • MD5

    cc5b6e9deec470d26e074859ca794aca

  • SHA1

    0cf0d409f644c3712299b0c91ea249537d51ff45

  • SHA256

    249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99

  • SHA512

    bd97b5d8ef82d68dc1d0a2162375a6515b927be95e99dd6a4a725172da885eff4e162d80ad4bbac30b579d6e9fa3d6d73f452716239d61b7c01803afa653959d

  • SSDEEP

    6144:suCZay34VffBhW5JDo4mLDiBRnB7/Z8rnA++gQj79toI:JCF0f/O+4m6vkrnA++gQj79T

Score
10/10
xenoratratspywarestealertrojan

Malware Config

Extracted

Family

xenorat

C2

91.92.248.167

Mutex

Dolid_rat_nd8859g

Attributes
  • delay

    60000

  • install_path

    appdata

  • port

    1280

  • startup_name

    dms

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
        "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2064
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2968
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2560
        • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
          "C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe"
          4⤵
          • Executes dropped EXE
          PID:2620
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "dms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF94.tmp" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2516
    • C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\fechas de pago.scr.exe"
      2⤵
        PID:2156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpFF94.tmp
      Filesize

      1KB

      MD5

      15353a3bb0a5c558a81376bcdfdc6ad6

      SHA1

      36156e5bd828094aacba26b60214420192009f01

      SHA256

      66d9195ec358a9736be2517f55b02206baa72c2d08512474f474773bbef6ef3a

      SHA512

      331585e484b39553b5bb51745db450f46b1b75c04610eb50d1824a3a25c29c1c235212b52b1772205ce5c80643a77ef78eba3c3999cf2828c3645862e06cabb4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\XenoManager\fechas de pago.scr.exe
      Filesize

      240KB

      MD5

      cc5b6e9deec470d26e074859ca794aca

      SHA1

      0cf0d409f644c3712299b0c91ea249537d51ff45

      SHA256

      249ff1abee706220f65aa47ef1c839a44b54979466ac531231858c6cf8e50e99

      SHA512

      bd97b5d8ef82d68dc1d0a2162375a6515b927be95e99dd6a4a725172da885eff4e162d80ad4bbac30b579d6e9fa3d6d73f452716239d61b7c01803afa653959d

      Download Submit
    • memory/1732-5-0x00000000002C0000-0x00000000002C6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1732-4-0x0000000073EC0000-0x00000000745AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1732-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1732-3-0x0000000000680000-0x00000000006BE000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1732-2-0x00000000002B0000-0x00000000002B6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1732-1-0x0000000000D30000-0x0000000000D70000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1732-19-0x0000000073EC0000-0x00000000745AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2064-29-0x0000000000C40000-0x0000000000C80000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2132-45-0x0000000073EC0000-0x00000000745AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2132-65-0x0000000073EC0000-0x00000000745AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2132-49-0x00000000054E0000-0x00000000055DA000-memory.dmp
      Filesize

      1000KB

      Download
    • memory/2132-26-0x0000000073EC0000-0x00000000745AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2132-48-0x0000000073EC0000-0x00000000745AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2980-16-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2980-28-0x0000000073EC0000-0x00000000745AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2980-21-0x0000000073EC0000-0x00000000745AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2980-8-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2980-6-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download