xenorat | 6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
26-07-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Size

249KB
MD5

d9dec4584b14bc1d0c5f51522743a385
SHA1

3e1269800b8cfb93f802307354eb8227f6503f05
SHA256

6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3
SHA512

5976deb2bb2084cd00d9888602e75b1966a9b0f4f8b1e23814f7f988b050523538c33e39d2874bf0e586b5bedae6257e05732434179c7f88f022f2eeb98b3dbd
SSDEEP

6144:18arJr5++gsCwCZ41JD7Ae31rwMwAZtUSiHrmM8FDy47j+wf6y5Mlg5XI:XNr1Kv41Joi2k/U4Dy47j+wf6y5Mlg54

Score

10^/10

xenorat credential_access discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

45.66.231.63

Mutex

Holid_rat_nd8859g

Attributes

delay
60400
install_path
appdata
port
1243
startup_name
HDdisplay

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 5 IoCs

pid	Process
3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
4740	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
4724	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
5112	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2168	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 3792 set thread context of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 set thread context of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 set thread context of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 set thread context of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 3752 set thread context of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 set thread context of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 set thread context of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 set thread context of 2168	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	91

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2828	4740	WerFault.exe	87
3184	4724	WerFault.exe	88
704	2168	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Token: SeDebugPrivilege	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
Token: SeDebugPrivilege	2192	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 wrote to memory of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 wrote to memory of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 wrote to memory of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 wrote to memory of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 wrote to memory of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 wrote to memory of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 wrote to memory of 4976	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	82
PID 3792 wrote to memory of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 wrote to memory of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 wrote to memory of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 wrote to memory of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 wrote to memory of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 wrote to memory of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 wrote to memory of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 wrote to memory of 2192	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	83
PID 3792 wrote to memory of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 wrote to memory of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 wrote to memory of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 wrote to memory of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 wrote to memory of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 wrote to memory of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 wrote to memory of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 wrote to memory of 4004	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	84
PID 3792 wrote to memory of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 3792 wrote to memory of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 3792 wrote to memory of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 3792 wrote to memory of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 3792 wrote to memory of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 3792 wrote to memory of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 3792 wrote to memory of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 3792 wrote to memory of 4836	3792	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	85
PID 4976 wrote to memory of 3752	4976	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	86
PID 4976 wrote to memory of 3752	4976	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	86
PID 4976 wrote to memory of 3752	4976	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	86
PID 3752 wrote to memory of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 wrote to memory of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 wrote to memory of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 wrote to memory of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 wrote to memory of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 wrote to memory of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 wrote to memory of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 wrote to memory of 4740	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	87
PID 3752 wrote to memory of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 wrote to memory of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 wrote to memory of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 wrote to memory of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 wrote to memory of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 wrote to memory of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 wrote to memory of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 wrote to memory of 4724	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	88
PID 3752 wrote to memory of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 wrote to memory of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 wrote to memory of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 wrote to memory of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 wrote to memory of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 wrote to memory of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 wrote to memory of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 wrote to memory of 5112	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	90
PID 3752 wrote to memory of 2168	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	91
PID 3752 wrote to memory of 2168	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	91
PID 3752 wrote to memory of 2168	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	91
PID 3752 wrote to memory of 2168	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	91
PID 3752 wrote to memory of 2168	3752	6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe	91

C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
"C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
  C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
      4⤵
      Executes dropped EXE
      PID:4740
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 28
        5⤵
        Program crash
        
        PID:2828
  - - C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
      4⤵
      Executes dropped EXE
      PID:4724
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 92
        5⤵
        Program crash
        
        PID:3184
  - - C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5112
  - - C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
      4⤵
      Executes dropped EXE
      PID:2168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 92
        5⤵
        Program crash
        
        PID:704
- C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
  C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "HDdisplay" /XML "C:\Users\Admin\AppData\Local\Temp\tmp601.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4836
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /query /v /fo csv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3316
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /delete /tn "\HDdisplay" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2388
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      System Location Discovery: System Language Discovery
      PID:2052
- C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
  C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
  C:\Users\Admin\AppData\Local\Temp\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2168 -ip 2168
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724
1⤵
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4740 -ip 4740
1⤵
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe.log

Filesize
706B

MD5
80305b9a250a27091f46fa147674ffb3

SHA1
81b485761494618e4c8bba9af56c29b2ea8e8a07

SHA256
d9febc24cdfe2a616fff0e891fb055951aad00be6d57b0bc3cf8f4f643c5f6ae

SHA512
52544d526e83ae2a71d63768457435dbe79843a76146f60b7e41ec7b53ddb620323592325e19d6776b92b7e1fbb8dc79db85e94a30d970f0983563456ccd7a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp601.tmp

Filesize
1KB

MD5
10a75b34678ee506fc03e99cf0f7c2ad

SHA1
37f86bad459b81c6a317dbd12cc8efb201215d60

SHA256
63b06e7d408abb3f053a745e02c16716ffbc011f680e6929c5b3bf58affc152b

SHA512
f3ef552863ceec2e76908bd6918874f8ca5a0c9cc5ddf594ece9bff7851ed5130c15d2ce684cfb169f960ff7d19819dbfed851e84fef05b3516c6a8a839a51d1

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3.exe

Filesize
249KB

MD5
d9dec4584b14bc1d0c5f51522743a385

SHA1
3e1269800b8cfb93f802307354eb8227f6503f05

SHA256
6e1d75869d89661a72eedce7e8b0613540cd939bbfa7c1cbf032403b5a8d96f3

SHA512
5976deb2bb2084cd00d9888602e75b1966a9b0f4f8b1e23814f7f988b050523538c33e39d2874bf0e586b5bedae6257e05732434179c7f88f022f2eeb98b3dbd

Download Submit
memory/2192-49-0x0000000006E60000-0x000000000738C000-memory.dmp

Filesize
5.2MB

Download
memory/2192-48-0x0000000006690000-0x00000000066E0000-memory.dmp

Filesize
320KB

Download
memory/2192-47-0x0000000006610000-0x0000000006686000-memory.dmp

Filesize
472KB

Download
memory/2192-46-0x0000000006760000-0x0000000006922000-memory.dmp

Filesize
1.8MB

Download
memory/2192-45-0x0000000006490000-0x000000000658A000-memory.dmp

Filesize
1000KB

Download
memory/2192-44-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/2192-50-0x0000000006740000-0x000000000675E000-memory.dmp

Filesize
120KB

Download
memory/2192-41-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/2192-78-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/2192-17-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/2192-18-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3792-7-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/3792-4-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/3792-1-0x0000000000040000-0x0000000000086000-memory.dmp

Filesize
280KB

Download
memory/3792-2-0x0000000004A70000-0x0000000004A76000-memory.dmp

Filesize
24KB

Download
memory/3792-3-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/3792-19-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/3792-8-0x0000000004C50000-0x0000000004C56000-memory.dmp

Filesize
24KB

Download
memory/3792-0-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/3792-6-0x0000000005480000-0x0000000005A26000-memory.dmp

Filesize
5.6MB

Download
memory/3792-5-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/4976-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4976-13-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download
memory/4976-30-0x0000000074850000-0x0000000075001000-memory.dmp

Filesize
7.7MB

Download