Malware Analysis Report

2024-08-06 18:12

Sample ID 240704-t128ja1flf
Target 202405187a072413981fe91978c58ae13cda3766ngrbotsnatch
SHA256 2b83224eb8a3b749f36c78780d727898233e371572269af2d0853c63d470cfee
Tags
xenorat evasion execution persistence privilege_escalation rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b83224eb8a3b749f36c78780d727898233e371572269af2d0853c63d470cfee

Threat Level: Known bad

The file 202405187a072413981fe91978c58ae13cda3766ngrbotsnatch was found to be: Known bad.

Malicious Activity Summary

xenorat evasion execution persistence privilege_escalation rat trojan

XenorRat

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Event Triggered Execution
T1546
Netsh Helper DLL
T1546.007
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:32

Reported

2024-07-04 16:38

Platform

win7-20240419-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe

"C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 16:32

Reported

2024-07-04 16:38

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe"

Signatures

XenorRat

trojan rat xenorat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1434077063.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1434077063.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\system32\cmd.exe
PID 4432 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3020 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4432 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\system32\attrib.exe
PID 4432 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Windows\system32\attrib.exe
PID 4432 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Users\Admin\AppData\Local\Temp\1434077063.exe
PID 4432 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Users\Admin\AppData\Local\Temp\1434077063.exe
PID 4432 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe C:\Users\Admin\AppData\Local\Temp\1434077063.exe
PID 60 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1434077063.exe C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe
PID 60 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1434077063.exe C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe
PID 60 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1434077063.exe C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe
PID 1908 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe C:\Windows\SysWOW64\schtasks.exe
PID 1908 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe C:\Windows\SysWOW64\schtasks.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe

"C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionExtension C:\Users\Admin\AppData\Local\Temp\*.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -PUAProtection 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\system32\cmd.exe

cmd /C netsh advfirewall set allprofiles state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\system32\attrib.exe

attrib +h +s C:\Users\Admin\AppData\Local\Temp\202405187a072413981fe91978c58ae13cda3766ngrbotsnatch.exe

C:\Users\Admin\AppData\Local\Temp\1434077063.exe

C:\Users\Admin\AppData\Local\Temp\1434077063.exe

C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\1434077063.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B94.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 69.46.15.141:4444 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 69.46.15.141:4444 tcp
US 69.46.15.141:4444 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 69.46.15.141:4444 tcp

Files

memory/1496-0-0x00007FF816413000-0x00007FF816415000-memory.dmp

memory/1496-1-0x000001E676870000-0x000001E676892000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ayncldis.z0w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1496-11-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/1496-12-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/1496-15-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/3632-26-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2979eabc783eaca50de7be23dd4eafcf
SHA1 d709ce5f3a06b7958a67e20870bfd95b83cad2ea
SHA256 006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903
SHA512 92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

memory/3632-28-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/3632-29-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/3632-31-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7d938922c60b82c232e1dc1d2cb172d6
SHA1 8c5546fbca478815e77f5dff30fe00e5e5fd6a9a
SHA256 463e9ebf5171ef9ead61019e5fa863ecd958d4390e88079394a98c050ad32a1f
SHA512 479ac4d43bcaea8059ff4ae9023e35f81e2d04eba16b3bec76c1b198891b2b8ea27a03e3862ca73dbe2e98dae5538b007df8418f10c2e3f52c93bcbbae10f105

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 721991167161c45d61b03e4dbad4984b
SHA1 fd3fa85d142b5e8d4906d3e5bfe10c5347958457
SHA256 0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb
SHA512 f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

C:\Users\Admin\AppData\Local\Temp\1434077063.exe

MD5 6bc7ab284910610872d47f9cf42a8d55
SHA1 0e774a524c0a4043c7988edef661ff9902fcceef
SHA256 aa46487f9722d672ebcbdbd473d175ebe2608b5ac9cea822f33661fc43fa7cfc
SHA512 97eb72a54a4a1c98a0338b77e12d9101bdf2b717ef345f9fe9c2e67066b94cbea48ede706a8995900fbd0e9ca42f27f7e2bbb676c6fbd427e9e9c6a01f152915

memory/60-71-0x0000000000010000-0x0000000000028000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1434077063.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Temp\tmp9B94.tmp

MD5 0ca9b94e20b8c96fb1b6fb673c27a799
SHA1 b725392cae47d6ab9351d86d6b54e0c700165d48
SHA256 91e9db58b8c14867e120a3f0e299d9edbde1b356de5fad3132a56a51c5e2fb28
SHA512 50008a7bf84e3d66b41186cc140a4a0a8bba9244b3b7a7525e4068e9f5471831fa750be7df5120a7b60a024a0f377d77c7dffb734e15c2f75820bed4e3c7509f