xenorat | 215751b1b39deb885cefda6cdb03691226177a692e3404193c6ea8ecd3ea98f1

Analysis

max time kernel
82s
max time network
87s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 14:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Pornosy z matejkiem.exe
Size

45KB
MD5

29dbc7b31dbf7dcb4289d07be9da47f2
SHA1

03ab7ceda224b198edafb070140b6421df8c37d3
SHA256

215751b1b39deb885cefda6cdb03691226177a692e3404193c6ea8ecd3ea98f1
SHA512

026ad8ad03619ad34b3f6796889581ec7d24387a1f1d2d671ad0106fd942ae8d6a3cdf34e3d374ccfa3aa3289d4467975c7e386483bba95a18f9ebaf1a7836d0
SSDEEP

768:9dhO/poiiUcjlJInwwH9Xqk5nWEZ5SbTDaUWI7CPW59:zw+jjgnZH9XqcnW85SbTNWI1

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

147.185.221.19

Mutex

Wiiindowss Deffender

Attributes

delay
5000
install_path
appdata
port
33365
startup_name
Windows Defender

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
1964	Pornosy z matejkiem.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	Pornosy z matejkiem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe
1964	Pornosy z matejkiem.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	Pornosy z matejkiem.exe
Token: SeShutdownPrivilege	760	shutdown.exe
Token: SeRemoteShutdownPrivilege	760	shutdown.exe
Token: 33	2352	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2352	AUDIODG.EXE
Token: 33	2352	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2352	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1964	2256	Pornosy z matejkiem.exe	30
PID 2256 wrote to memory of 1964	2256	Pornosy z matejkiem.exe	30
PID 2256 wrote to memory of 1964	2256	Pornosy z matejkiem.exe	30
PID 2256 wrote to memory of 1964	2256	Pornosy z matejkiem.exe	30
PID 1964 wrote to memory of 2704	1964	Pornosy z matejkiem.exe	31
PID 1964 wrote to memory of 2704	1964	Pornosy z matejkiem.exe	31
PID 1964 wrote to memory of 2704	1964	Pornosy z matejkiem.exe	31
PID 1964 wrote to memory of 2704	1964	Pornosy z matejkiem.exe	31
PID 1964 wrote to memory of 760	1964	Pornosy z matejkiem.exe	34
PID 1964 wrote to memory of 760	1964	Pornosy z matejkiem.exe	34
PID 1964 wrote to memory of 760	1964	Pornosy z matejkiem.exe	34
PID 1964 wrote to memory of 760	1964	Pornosy z matejkiem.exe	34

C:\Users\Admin\AppData\Local\Temp\Pornosy z matejkiem.exe
"C:\Users\Admin\AppData\Local\Temp\Pornosy z matejkiem.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Roaming\XenoManager\Pornosy z matejkiem.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Pornosy z matejkiem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Windows Defender" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3C45.tmp" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2704
- - C:\Windows\SysWOW64\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /r /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3C45.tmp

Filesize
1KB

MD5
1245b94f259c52066a8c537a88643660

SHA1
8b9c39dac7427499ca4ef6dbd79db9a0e350c1cb

SHA256
e9254da4f4435aad4d58bfd26e081c0d1df28c82d17b479d06159baee7cedf8c

SHA512
3b4e3fa49917b5b30d62fd85dcce543de2c1a69653fb05bbc65979f0afd6bfa8bf0524c666d104f56612c502f3efb1eec895d4ba0f4686f6d7546793d43f9af0

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\Pornosy z matejkiem.exe

Filesize
45KB

MD5
29dbc7b31dbf7dcb4289d07be9da47f2

SHA1
03ab7ceda224b198edafb070140b6421df8c37d3

SHA256
215751b1b39deb885cefda6cdb03691226177a692e3404193c6ea8ecd3ea98f1

SHA512
026ad8ad03619ad34b3f6796889581ec7d24387a1f1d2d671ad0106fd942ae8d6a3cdf34e3d374ccfa3aa3289d4467975c7e386483bba95a18f9ebaf1a7836d0

Download Submit
memory/1964-9-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/1964-10-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-13-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-14-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-15-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-16-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/1964-17-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/2256-0-0x0000000073D5E000-0x0000000073D5F000-memory.dmp

Filesize
4KB

Download
memory/2256-1-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads