Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 17:06
Static task
static1
Behavioral task
behavioral1
Sample
CalendariodePago.exe
Resource
win7-20240611-en
General
-
Target
CalendariodePago.exe
-
Size
612KB
-
MD5
5cb029f745b0691ec119a958319c31ef
-
SHA1
e7079a4aa2715132d6ea4ac4e7997effea00e979
-
SHA256
0b9145613da75b127de6d9f0094a7b2813e3c8c651aec50aee83c1e722e63be3
-
SHA512
61bbb3929c8d233bc3ebb265094ff515ad509a18903edbad887f1d9ad23982ace2adc619f9bde098565a20674ce29973ac2bc83558a3f6f5b02548df09e68094
-
SSDEEP
12288:ycrNS33L10QdrXpxen47qBmk1cNi3qYjY7fopC4xky2tuqFUmt:ZNA3R5drXPe47qBmk1+i39jWfopCObqJ
Malware Config
Extracted
xenorat
salutoepiesircam.sytes.net
Xeno_rat_nd8911d
-
delay
5000
-
install_path
appdata
-
port
4450
-
startup_name
setting
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation CalendariodePago.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation afgsfxf.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation afgsfxf.exe -
Executes dropped EXE 7 IoCs
pid Process 548 afgsfxf.sfx.exe 2340 afgsfxf.exe 2788 afgsfxf.exe 4996 afgsfxf.exe 4232 afgsfxf.exe 4108 afgsfxf.exe 3404 afgsfxf.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2340 set thread context of 2788 2340 afgsfxf.exe 93 PID 2340 set thread context of 4996 2340 afgsfxf.exe 94 PID 4232 set thread context of 4108 4232 afgsfxf.exe 99 PID 4232 set thread context of 3404 4232 afgsfxf.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4376 2788 WerFault.exe 93 -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4072 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2340 afgsfxf.exe Token: SeDebugPrivilege 4232 afgsfxf.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2960 2424 CalendariodePago.exe 88 PID 2424 wrote to memory of 2960 2424 CalendariodePago.exe 88 PID 2424 wrote to memory of 2960 2424 CalendariodePago.exe 88 PID 2960 wrote to memory of 548 2960 cmd.exe 91 PID 2960 wrote to memory of 548 2960 cmd.exe 91 PID 2960 wrote to memory of 548 2960 cmd.exe 91 PID 548 wrote to memory of 2340 548 afgsfxf.sfx.exe 92 PID 548 wrote to memory of 2340 548 afgsfxf.sfx.exe 92 PID 548 wrote to memory of 2340 548 afgsfxf.sfx.exe 92 PID 2340 wrote to memory of 2788 2340 afgsfxf.exe 93 PID 2340 wrote to memory of 2788 2340 afgsfxf.exe 93 PID 2340 wrote to memory of 2788 2340 afgsfxf.exe 93 PID 2340 wrote to memory of 2788 2340 afgsfxf.exe 93 PID 2340 wrote to memory of 2788 2340 afgsfxf.exe 93 PID 2340 wrote to memory of 2788 2340 afgsfxf.exe 93 PID 2340 wrote to memory of 2788 2340 afgsfxf.exe 93 PID 2340 wrote to memory of 2788 2340 afgsfxf.exe 93 PID 2340 wrote to memory of 4996 2340 afgsfxf.exe 94 PID 2340 wrote to memory of 4996 2340 afgsfxf.exe 94 PID 2340 wrote to memory of 4996 2340 afgsfxf.exe 94 PID 2340 wrote to memory of 4996 2340 afgsfxf.exe 94 PID 2340 wrote to memory of 4996 2340 afgsfxf.exe 94 PID 2340 wrote to memory of 4996 2340 afgsfxf.exe 94 PID 2340 wrote to memory of 4996 2340 afgsfxf.exe 94 PID 2340 wrote to memory of 4996 2340 afgsfxf.exe 94 PID 4996 wrote to memory of 4232 4996 afgsfxf.exe 97 PID 4996 wrote to memory of 4232 4996 afgsfxf.exe 97 PID 4996 wrote to memory of 4232 4996 afgsfxf.exe 97 PID 4232 wrote to memory of 4108 4232 afgsfxf.exe 99 PID 4232 wrote to memory of 4108 4232 afgsfxf.exe 99 PID 4232 wrote to memory of 4108 4232 afgsfxf.exe 99 PID 4232 wrote to memory of 4108 4232 afgsfxf.exe 99 PID 4232 wrote to memory of 4108 4232 afgsfxf.exe 99 PID 4232 wrote to memory of 4108 4232 afgsfxf.exe 99 PID 4232 wrote to memory of 4108 4232 afgsfxf.exe 99 PID 4232 wrote to memory of 4108 4232 afgsfxf.exe 99 PID 4232 wrote to memory of 3404 4232 afgsfxf.exe 100 PID 4232 wrote to memory of 3404 4232 afgsfxf.exe 100 PID 4232 wrote to memory of 3404 4232 afgsfxf.exe 100 PID 4232 wrote to memory of 3404 4232 afgsfxf.exe 100 PID 4232 wrote to memory of 3404 4232 afgsfxf.exe 100 PID 4232 wrote to memory of 3404 4232 afgsfxf.exe 100 PID 4232 wrote to memory of 3404 4232 afgsfxf.exe 100 PID 4232 wrote to memory of 3404 4232 afgsfxf.exe 100 PID 4108 wrote to memory of 4072 4108 afgsfxf.exe 101 PID 4108 wrote to memory of 4072 4108 afgsfxf.exe 101 PID 4108 wrote to memory of 4072 4108 afgsfxf.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\CalendariodePago.exe"C:\Users\Admin\AppData\Local\Temp\CalendariodePago.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\budshpdig.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\afgsfxf.sfx.exeafgsfxf.sfx.exe -pthngaqwscpolkmBuiofxvflfadfdyehngfszafugyRhvqxsHbgnmeYiorhn -dC:\Users\Admin\AppData\Local\Temp3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe"C:\Users\Admin\AppData\Local\Temp\afgsfxf.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exeC:\Users\Admin\AppData\Local\Temp\afgsfxf.exe5⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 806⤵
- Program crash
PID:4376
-
-
-
C:\Users\Admin\AppData\Local\Temp\afgsfxf.exeC:\Users\Admin\AppData\Local\Temp\afgsfxf.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe"C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exeC:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "setting" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4DF.tmp" /F8⤵
- Scheduled Task/Job: Scheduled Task
PID:4072
-
-
-
C:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exeC:\Users\Admin\AppData\Roaming\XenoManager\afgsfxf.exe7⤵
- Executes dropped EXE
PID:3404
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2788 -ip 27881⤵PID:2892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3996,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:81⤵PID:4168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
238KB
MD5e1dc7c5bc0e25c682383ed45a4f1b62d
SHA1efb65a80c919f0c3b7d20f7e6936c4ed1bc39526
SHA2568698d7bb5416fc8975a61be1f58793bd93ce9a611b0934ba9c1c7bfbd48d5ad6
SHA512a194d7142c92ab1de1fc2c35d350a968085e116fa15dfda722c28c597eb33e0548de18717c48d308e6953cfbfc9c10996b2bcbc21ce60e5cb2c43fe860772dfc
-
Filesize
471KB
MD5b0f7c04b2eeecc36eaf4b8028f039fca
SHA1f4215f7f99a94bc0f11caed46fba0f5b6d894bf3
SHA25649189308da7b2d7038fc3cae77c4bffa62420b07ca4b833c85299f82d1e0dbf0
SHA512ee91d628a5dd338bad371018f5593d83e246c173b6c6aa8dcca6f5be37b06013417f01a8583baf7379f782c83e836fb385bdb20b5bad79484b8b4c0a407cce27
-
Filesize
12KB
MD53c7b48100b1343fb5e491b6e25b3f973
SHA1c1f0101ce56b77b1e62d5cd8eedb058039a6a6f1
SHA25682af508a479aa7eb3710995954c09308b5610f141f65c57c296b19b2fa218a4b
SHA512989df1b3bfea4de6bda4bed0a027dc280d905dbffe6e7573f65b3acfc708f58fce83da939f8952e5ffa4b7c0f539e4a4b16bc409670513a643af95d6147b6108
-
Filesize
1KB
MD5afe6dbad0c30c3a96d89523abfec9c19
SHA1f7075462fe019fc028079a9027a5988163a234f1
SHA2563b4a689daa322d13ece81c8cd374f142cbc0bca4362f847394469b9b334c37eb
SHA512cb7b9578cdeb86d8ea74c24aaf7138756389d986a3474f50eb18c4f2afbaf6f82f709e0620b3527a428909594670edd03564559d2a736a63c19993220e7b0737