Overview

overview

10

Static

static

3

CalendariodePago.exe

windows7-x64

10

CalendariodePago.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-07-2024 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CalendariodePago.exe

  • Size

    612KB

  • MD5

    5cb029f745b0691ec119a958319c31ef

  • SHA1

    e7079a4aa2715132d6ea4ac4e7997effea00e979

  • SHA256

    0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3

  • SHA512

    61bbb3929c8d233bc3ebb265094ff515ad509a18903edbad887f1d9ad23982ace2adc619f9bde098565a20674ce29973ac2bc83558a3f6f5b02548df09e68094

  • SSDEEP

    12288:ycrNS33L10QdrXpxen47qBmk1cNi3qYjY7fopC4xky2tuqFUmt:ZNA3R5drXPe47qBmk1+i39jWfopCObqJ

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

salutoepiesircam.sytes.net

Mutex

Xeno_rat_nd8911d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4450

  • startup_name

    setting

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CalendariodePago.exe
    "C:\Users\Admin\AppData\Local\Temp\CalendariodePago.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\budshpdig.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
        afgsfxf.sfx.exe -pthngaqwscpolkmBuiofxvflfadfdyehngfszafugyRhvqxsHbgnmeYiorhn -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
          "C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
            C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
            5⤵
            • Executes dropped EXE
            PID:2788
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 80
              6⤵
              • Program crash
              PID:4376
          • C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
            C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4996
            • C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
              "C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4232
              • C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
                C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:4108
                • C:\Windows\SysWOW64\schtasks.exe
                  "schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4DF.tmp" /F
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4072
              • C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
                C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe
                7⤵
                • Executes dropped EXE
                PID:3404
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 2788
    1⤵
      PID:2892
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3996,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
      1⤵
        PID:4168

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\afgsfxf.exe.log
        Filesize

        706B

        MD5

        d95c58e609838928f0f49837cab7dfd2

        SHA1

        55e7139a1e3899195b92ed8771d1ca2c7d53c916

        SHA256

        0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

        SHA512

        405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe
        Filesize

        238KB

        MD5

        e1dc7c5bc0e25c682383ed45a4f1b62d

        SHA1

        efb65a80c919f0c3b7d20f7e6936c4ed1bc39526

        SHA256

        8698d7bb5416fc8975a61be1f58793bd93ce9a611b0934ba9c1c7bfbd48d5ad6

        SHA512

        a194d7142c92ab1de1fc2c35d350a968085e116fa15dfda722c28c597eb33e0548de18717c48d308e6953cfbfc9c10996b2bcbc21ce60e5cb2c43fe860772dfc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exe
        Filesize

        471KB

        MD5

        b0f7c04b2eeecc36eaf4b8028f039fca

        SHA1

        f4215f7f99a94bc0f11caed46fba0f5b6d894bf3

        SHA256

        49189308da7b2d7038fc3cae77c4bffa62420b07ca4b833c85299f82d1e0dbf0

        SHA512

        ee91d628a5dd338bad371018f5593d83e246c173b6c6aa8dcca6f5be37b06013417f01a8583baf7379f782c83e836fb385bdb20b5bad79484b8b4c0a407cce27

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\budshpdig.bat
        Filesize

        12KB

        MD5

        3c7b48100b1343fb5e491b6e25b3f973

        SHA1

        c1f0101ce56b77b1e62d5cd8eedb058039a6a6f1

        SHA256

        82af508a479aa7eb3710995954c09308b5610f141f65c57c296b19b2fa218a4b

        SHA512

        989df1b3bfea4de6bda4bed0a027dc280d905dbffe6e7573f65b3acfc708f58fce83da939f8952e5ffa4b7c0f539e4a4b16bc409670513a643af95d6147b6108

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpF4DF.tmp
        Filesize

        1KB

        MD5

        afe6dbad0c30c3a96d89523abfec9c19

        SHA1

        f7075462fe019fc028079a9027a5988163a234f1

        SHA256

        3b4a689daa322d13ece81c8cd374f142cbc0bca4362f847394469b9b334c37eb

        SHA512

        cb7b9578cdeb86d8ea74c24aaf7138756389d986a3474f50eb18c4f2afbaf6f82f709e0620b3527a428909594670edd03564559d2a736a63c19993220e7b0737

        Download Submit
      • memory/2340-25-0x000000000E4E0000-0x000000000E57C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2340-24-0x00000000059A0000-0x00000000059DE000-memory.dmp
        Filesize

        248KB

        Download
      • memory/2340-26-0x000000000EB30000-0x000000000F0D4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2340-27-0x000000000E580000-0x000000000E612000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2340-28-0x00000000032E0000-0x00000000032E6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2340-23-0x0000000003370000-0x0000000003376000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2340-22-0x0000000000E50000-0x0000000000E94000-memory.dmp
        Filesize

        272KB

        Download
      • memory/4996-31-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download