Malware Analysis Report

2024-08-06 18:12

Sample ID 240704-tymp3a1fjh
Target 1.exe
SHA256 c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0

Threat Level: Known bad

The file 1.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Xenorat family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-04 16:28

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 16:28

Reported

2024-07-04 16:33

Platform

win7-20240220-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Roaming\XenoManager\1.exe
PID 2872 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Roaming\XenoManager\1.exe
PID 2872 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Roaming\XenoManager\1.exe
PID 2872 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Roaming\XenoManager\1.exe
PID 2956 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\1.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp278D.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 performance-ha.gl.at.ply.gg udp
US 147.185.221.19:33365 performance-ha.gl.at.ply.gg tcp
US 147.185.221.19:33365 performance-ha.gl.at.ply.gg tcp
US 147.185.221.19:33365 performance-ha.gl.at.ply.gg tcp
US 147.185.221.19:33365 performance-ha.gl.at.ply.gg tcp
US 147.185.221.19:33365 performance-ha.gl.at.ply.gg tcp

Files

memory/2872-0-0x000000007461E000-0x000000007461F000-memory.dmp

memory/2872-1-0x0000000000C90000-0x0000000000CA2000-memory.dmp

\Users\Admin\AppData\Roaming\XenoManager\1.exe

MD5 4d820f671919b3029173d8659aa59600
SHA1 af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256 c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA512 5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e

memory/2956-9-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

memory/2956-10-0x0000000074610000-0x0000000074CFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp278D.tmp

MD5 a0449a13ac1dfc501ac54ec20546041e
SHA1 dd10c4d3abb7c4e6ff5abdaa077ad7a114d73bcf
SHA256 744a0d8f4918500ee4cb6ec0f6ca5002a7d5809081e00572815a4a96c198b2bb
SHA512 83ac2d9b1bcbb3eb201abdfa66d190a07bb11a658eee2b9c9cfe93fb1bd634c6d49d6c97d1deccfe52a9a2f1e3ac61f71432d7e2fc118787059eaa7f8cfcda5f

memory/2956-13-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2956-14-0x0000000074610000-0x0000000074CFE000-memory.dmp

memory/2956-15-0x0000000074610000-0x0000000074CFE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 16:28

Reported

2024-07-04 16:33

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Roaming\XenoManager\1.exe
PID 1356 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Roaming\XenoManager\1.exe
PID 1356 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\1.exe C:\Users\Admin\AppData\Roaming\XenoManager\1.exe
PID 3764 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\XenoManager\1.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1.exe

"C:\Users\Admin\AppData\Local\Temp\1.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\1.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\1.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6C95.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 performance-ha.gl.at.ply.gg udp
US 8.8.8.8:53 performance-ha.gl.at.ply.gg udp
US 8.8.8.8:53 performance-ha.gl.at.ply.gg udp
US 8.8.8.8:53 performance-ha.gl.at.ply.gg udp
US 8.8.8.8:53 performance-ha.gl.at.ply.gg udp
US 8.8.8.8:53 performance-ha.gl.at.ply.gg udp
US 8.8.8.8:53 performance-ha.gl.at.ply.gg udp

Files

memory/1356-0-0x000000007471E000-0x000000007471F000-memory.dmp

memory/1356-1-0x0000000000CD0000-0x0000000000CE2000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\1.exe

MD5 4d820f671919b3029173d8659aa59600
SHA1 af68a0b9e9c58dcbdd2ede205c30537bca39650c
SHA256 c1cb3a8e20206ea9fe5e0d2c95fd876fec5d53ea8a55ebc65e7f2571e83ff5c0
SHA512 5db8f64f97765447bbebe42044984ae73cc1b418c5d2616cd3d4cf0bcf03014c1883d37d4dcaffa35cf5d0453301495f8d01f6e01ff4c516be019147f0f33d6e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3764-15-0x0000000074710000-0x0000000074EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6C95.tmp

MD5 a0449a13ac1dfc501ac54ec20546041e
SHA1 dd10c4d3abb7c4e6ff5abdaa077ad7a114d73bcf
SHA256 744a0d8f4918500ee4cb6ec0f6ca5002a7d5809081e00572815a4a96c198b2bb
SHA512 83ac2d9b1bcbb3eb201abdfa66d190a07bb11a658eee2b9c9cfe93fb1bd634c6d49d6c97d1deccfe52a9a2f1e3ac61f71432d7e2fc118787059eaa7f8cfcda5f

memory/3764-18-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/3764-19-0x0000000074710000-0x0000000074EC0000-memory.dmp