Analysis

  • max time kernel
    132s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 14:38

General

  • Target

    56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe

  • Size

    45KB

  • MD5

    c256e2fb6c6111d1bbaa46bd2f081be2

  • SHA1

    fdbc207fd0dc681e13e68effd8fa9a372bea9052

  • SHA256

    56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e

  • SHA512

    0ccde1e1c13c764d184b097218282c4b9dfde70c1bb2b1be737f01b46e1f4a824850531f8ab2e9ba99837c9b552f4fbfc53cdda03c09f82dc3c19ee3e321eca9

  • SSDEEP

    768:9dhO/poiiUcjlJInlaH9Xqk5nWEZ5SbTDabuI7CPW59:zw+jjgnsH9XqcnW85SbTmuI1

Score
10/10

Malware Config

Extracted

Family

xenorat

C2

192.168.100.200

Mutex

Wiiindowss Deffender

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    8848

  • startup_name

    Windows Defender

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe
    "C:\Users\Admin\AppData\Local\Temp\56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Roaming\XenoManager\56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "Windows Defender" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A14.tmp" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2876

Network

    No results found
  • 192.168.100.200:8848
    56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe
    152 B
    3
  • 192.168.100.200:8848
    56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe
    152 B
    3
  • 192.168.100.200:8848
    56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe
    152 B
    3
  • 192.168.100.200:8848
    56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe
    152 B
    3
  • 192.168.100.200:8848
    56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe
    152 B
    3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3A14.tmp

    Filesize

    1KB

    MD5

    18fddb1f976ba171f5e23f68a1681dd6

    SHA1

    ceb98f0bdfa77690b0d5ae9aa3db0fb88eac076f

    SHA256

    cb78b9b10a4a349fc5069336188819d0d1424893f57425f607b8102450aa8c4d

    SHA512

    35130bd5fabf0436efd21423c4d41bb938180baf1a8f9658be1243baa5c78166b14234006306e841e26d7acb54b2d4cc881876cca2e9599d30ae58b5de38af1b

  • \Users\Admin\AppData\Roaming\XenoManager\56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e.exe

    Filesize

    45KB

    MD5

    c256e2fb6c6111d1bbaa46bd2f081be2

    SHA1

    fdbc207fd0dc681e13e68effd8fa9a372bea9052

    SHA256

    56b6c2ebd23727dd8d58648db3114ef88dd1561dd8e92f082b9ad3874cc1d93e

    SHA512

    0ccde1e1c13c764d184b097218282c4b9dfde70c1bb2b1be737f01b46e1f4a824850531f8ab2e9ba99837c9b552f4fbfc53cdda03c09f82dc3c19ee3e321eca9

  • memory/2692-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

    Filesize

    4KB

  • memory/2692-1-0x0000000000F70000-0x0000000000F82000-memory.dmp

    Filesize

    72KB

  • memory/2748-9-0x00000000013C0000-0x00000000013D2000-memory.dmp

    Filesize

    72KB

  • memory/2748-10-0x0000000074CA0000-0x000000007538E000-memory.dmp

    Filesize

    6.9MB

  • memory/2748-13-0x0000000074CA0000-0x000000007538E000-memory.dmp

    Filesize

    6.9MB

  • memory/2748-14-0x0000000074CA0000-0x000000007538E000-memory.dmp

    Filesize

    6.9MB

  • memory/2748-15-0x0000000074CA0000-0x000000007538E000-memory.dmp

    Filesize

    6.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.