Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 16:55

General

  • Target

    66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe

  • Size

    955KB

  • MD5

    94f798a6cc5738e8924c9c0b3d2abb1e

  • SHA1

    5714cb7b382dab9977c99c94294561bc42d3166e

  • SHA256

    66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223

  • SHA512

    7b301bddf5d8a3602805754dc995bb4ee88c957b1029e3a17a0ed10d85cc60b1c603a8953a521cae283c39e2ecf69e1253db92cc89dacd46a45d2c72837ce0e4

  • SSDEEP

    24576:duDXTIGaPhEYzUzA0qxUAUBqG8DCRG7F9V5:ADjlabwz9M7WRG59V5

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

23.243.100.240

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    Windows Security

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe
    "C:\Users\Admin\AppData\Local\Temp\66f635bf805463c4a83b969ac8d4cc563b2feadaea0460dc22c5f53be72a9223.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\system32\certutil.exe
          certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe" MD5
          4⤵
            PID:2416
          • C:\Windows\system32\find.exe
            find /i /v "md5"
            4⤵
              PID:2104
            • C:\Windows\system32\find.exe
              find /i /v "certutil"
              4⤵
                PID:2948
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Windows\system32\cmd.exe
                cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2596
                • C:\Windows\system32\timeout.exe
                  timeout /t 5
                  5⤵
                  • Delays execution with timeout.exe
                  PID:2684
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3044 -s 296
              3⤵
                PID:2084
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2648
              • C:\Users\Admin\AppData\Roaming\XenoManager\Runtime Broker.exe
                "C:\Users\Admin\AppData\Roaming\XenoManager\Runtime Broker.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2644
                • C:\Windows\SysWOW64\schtasks.exe
                  "schtasks.exe" /Create /TN "Windows Security" /XML "C:\Users\Admin\AppData\Local\Temp\tmp495F.tmp" /F
                  4⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2532

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Runtime Broker.exe

            Filesize

            45KB

            MD5

            888405f1ed21b89ac08343458251bf26

            SHA1

            4c9b54da2336376441af26ed4bedcd6fda1b316f

            SHA256

            a8b6f84c5a83b221cb27203a565852745db0010e793aedfe2e98db4cd7f10859

            SHA512

            4280eddeaba17692a542ab11e1ad92cde5aedd0857990bea01dbd967334801318fd5c31519e58af021ff07c7cf37c2cea6c99502d7f7c1b26852cfb935e3a2a1

          • C:\Users\Admin\AppData\Local\Temp\tmp495F.tmp

            Filesize

            1KB

            MD5

            5b219b4101d84f08808354aca4b544bc

            SHA1

            f067faceacdefb5d1062fac1400c288aca4b36d7

            SHA256

            7072f7d22c1809a4f13ab22b1b2eacebf3f7333f668810e4bad2e3c22d2b9836

            SHA512

            67be44450193b5a10529b668e5dc3a35647bf85bb6cadbb2e9a45271d808f24ef0e8dc55103a50b1a82edc71f3c3371de50ac81220366a8188cca21a6587c8cd

          • \Users\Admin\AppData\Local\Temp\RarSFX0\InternalLoader2.exe

            Filesize

            588KB

            MD5

            2582a8dfdf77e54747a2e84a27377131

            SHA1

            87a91b5cd34f2ed215a0092997ce2989a333b920

            SHA256

            38ea6534608e1496b285dadaa545a968c2b128111fc3841ba84f162f1a3f8e20

            SHA512

            f6193e490b95ef0ac3e2c66c2e83d8f582d4d86c4360b117a7ed11079a612ef62c2408968b96d3a55453cc0ac01b48773377ca090855650c368210235883ba3c

          • memory/2644-29-0x0000000000B40000-0x0000000000B52000-memory.dmp

            Filesize

            72KB

          • memory/2648-21-0x00000000013C0000-0x00000000013D2000-memory.dmp

            Filesize

            72KB