Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-07-2024 17:29
Behavioral task
behavioral1
Sample
Colours.exe
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
General
-
Target
Colours.exe
-
Size
45KB
-
MD5
b7e4200a8a35c06a5702cf96ae3cf113
-
SHA1
98acd37605ced37c29717181ab76650f26069d6a
-
SHA256
86b83b2e1ea05d9cc2f79c8d12b63ed4a9c47227943bbd0d1748c16b850e1b3a
-
SHA512
d1c75a593124a5c4ee0fb745d97046a54dd72bb5cb76a730a497070bbe4f9d6f0df40ade1c7b88bbc114eee1c5ef98de2d40770be13f60d2fb56382b5e8e5bf7
-
SSDEEP
768:/dhO/poiiUcjlJInJFH9Xqk5nWEZ5SbTDantWI7CPW5V:1w+jjgnXH9XqcnW85SbTEWId
Malware Config
Extracted
Family
xenorat
C2
krecgh.4cloud.click
Mutex
Xeno_rat_nd8912d
Attributes
-
delay
5000
-
install_path
nothingset
-
port
3398
-
startup_name
nothingset
Signatures
-
Deletes itself 1 IoCs
pid Process 2992 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe 2376 Colours.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2376 Colours.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2524 2376 Colours.exe 31 PID 2376 wrote to memory of 2524 2376 Colours.exe 31 PID 2376 wrote to memory of 2524 2376 Colours.exe 31 PID 2376 wrote to memory of 2524 2376 Colours.exe 31 PID 2376 wrote to memory of 2992 2376 Colours.exe 33 PID 2376 wrote to memory of 2992 2376 Colours.exe 33 PID 2376 wrote to memory of 2992 2376 Colours.exe 33 PID 2376 wrote to memory of 2992 2376 Colours.exe 33 PID 2992 wrote to memory of 2328 2992 cmd.exe 35 PID 2992 wrote to memory of 2328 2992 cmd.exe 35 PID 2992 wrote to memory of 2328 2992 cmd.exe 35 PID 2992 wrote to memory of 2328 2992 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Colours.exe"C:\Users\Admin\AppData\Local\Temp\Colours.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query /v /fo csv2⤵PID:2524
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Colours.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵PID:2328
-
-