Malware Analysis Report

2024-08-06 18:12

Sample ID 240704-twb6js1epe
Target 03.eml
SHA256 b0133c97a9a0544fa87b9dede635be6a34c6352e3ab359a282702a782184571e
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0133c97a9a0544fa87b9dede635be6a34c6352e3ab359a282702a782184571e

Threat Level: Known bad

The file 03.eml was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:24

Reported

2024-07-04 16:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Pago652024.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2968 set thread context of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 set thread context of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 set thread context of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2396 set thread context of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 set thread context of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 set thread context of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2968 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1988 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 1988 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 1988 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 1988 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2396 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 1980 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

"C:\Users\Admin\AppData\Local\Temp\Pago652024.exe"

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "mns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2211.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1278 tcp
NL 91.92.248.167:1278 tcp
NL 91.92.248.167:1278 tcp

Files

memory/2968-0-0x000000007469E000-0x000000007469F000-memory.dmp

memory/2968-1-0x0000000000030000-0x000000000006C000-memory.dmp

memory/2968-2-0x0000000000300000-0x0000000000306000-memory.dmp

memory/2968-3-0x0000000000620000-0x000000000065A000-memory.dmp

memory/2968-4-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2968-5-0x0000000000420000-0x0000000000426000-memory.dmp

memory/1988-6-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1980-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1988-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1988-22-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/2968-23-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/1980-24-0x0000000074690000-0x0000000074D7E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

MD5 8a522f9786f61b5bd677d7a8ed6bd1aa
SHA1 06fdb9d40c9b6448fd8c1a47595eb3e8b3e9ed29
SHA256 e4d55c94e2904333166dc800a24bb13f97f8ceaf8815bbc133f3ac40dd4211f2
SHA512 e79c2be732536b4db756280d889b2021b31396ec669368796d507d7238be27984239d367bf22d9d1dea615b85b5b5b96677a08a383e28272a432988e537deabd

memory/2396-32-0x00000000002E0000-0x000000000031C000-memory.dmp

memory/1988-33-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/1980-44-0x0000000074690000-0x0000000074D7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2211.tmp

MD5 831f29adcdc8c602266b3fb65f01b1c5
SHA1 092247b5233f6c748f9bf715939134b0f1836655
SHA256 6b533eb2c748b5994edcece75c7d339bc4fcbc2a3a0f8bb797017b6380d5c6d0
SHA512 00fd058322514a9c846d57ed59d3cdc497f2a16b061c72cb20e65f51529225be406640f6620121131fddfb3bbe21e5592e0b74b0f6e47126933e4e4cb42a90c2

memory/1980-47-0x0000000074690000-0x0000000074D7E000-memory.dmp

memory/1980-48-0x0000000074690000-0x0000000074D7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 16:24

Reported

2024-07-04 16:27

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Pago652024.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 set thread context of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 set thread context of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 3016 set thread context of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 set thread context of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 set thread context of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 1692 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Local\Temp\Pago652024.exe
PID 2236 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2236 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 2236 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe
PID 3688 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Windows\SysWOW64\schtasks.exe
PID 3688 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Windows\SysWOW64\schtasks.exe
PID 3688 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Pago652024.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

"C:\Users\Admin\AppData\Local\Temp\Pago652024.exe"

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Users\Admin\AppData\Local\Temp\Pago652024.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1020 -ip 1020

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 80

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 80

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "mns" /XML "C:\Users\Admin\AppData\Local\Temp\tmp35F0.tmp" /F

Network

Country Destination Domain Proto
NL 91.92.248.167:1278 tcp
NL 91.92.248.167:1278 tcp
NL 91.92.248.167:1278 tcp

Files

memory/1692-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

memory/1692-1-0x0000000000500000-0x000000000053C000-memory.dmp

memory/1692-2-0x0000000002990000-0x0000000002996000-memory.dmp

memory/1692-4-0x000000000DA40000-0x000000000DA7A000-memory.dmp

memory/1692-3-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/1692-5-0x000000000DB20000-0x000000000DBBC000-memory.dmp

memory/1692-6-0x000000000E170000-0x000000000E714000-memory.dmp

memory/1692-7-0x000000000DC60000-0x000000000DCF2000-memory.dmp

memory/1692-8-0x0000000002920000-0x0000000002926000-memory.dmp

memory/2236-9-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2236-14-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/1692-15-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/3688-16-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/3688-17-0x00000000746D0000-0x0000000074E80000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Pago652024.exe

MD5 8a522f9786f61b5bd677d7a8ed6bd1aa
SHA1 06fdb9d40c9b6448fd8c1a47595eb3e8b3e9ed29
SHA256 e4d55c94e2904333166dc800a24bb13f97f8ceaf8815bbc133f3ac40dd4211f2
SHA512 e79c2be732536b4db756280d889b2021b31396ec669368796d507d7238be27984239d367bf22d9d1dea615b85b5b5b96677a08a383e28272a432988e537deabd

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pago652024.exe.log

MD5 d95c58e609838928f0f49837cab7dfd2
SHA1 55e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA256 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

memory/2236-29-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/3016-30-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/3016-37-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/3688-38-0x00000000746D0000-0x0000000074E80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp35F0.tmp

MD5 831f29adcdc8c602266b3fb65f01b1c5
SHA1 092247b5233f6c748f9bf715939134b0f1836655
SHA256 6b533eb2c748b5994edcece75c7d339bc4fcbc2a3a0f8bb797017b6380d5c6d0
SHA512 00fd058322514a9c846d57ed59d3cdc497f2a16b061c72cb20e65f51529225be406640f6620121131fddfb3bbe21e5592e0b74b0f6e47126933e4e4cb42a90c2