Resubmissions
01-08-2024 19:20
240801-x2h3tsvclr 1001-08-2024 19:20
240801-x14cdavckl 1001-08-2024 19:19
240801-x1tsyayfmd 10Analysis
-
max time kernel
23s -
max time network
6s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 19:20
General
-
Target
xero/xero.exe
-
Size
45KB
-
MD5
3b55e1134c4d41bd31da43caa2e281e3
-
SHA1
626b6f42961606a84f55529388ba5a761f773ee0
-
SHA256
a250d17fc5aedefe2b11a61a8702839cf47317dc36b88e5abeb789a019787c07
-
SHA512
efb34525c6d2216569b981fdca53e0ca5123195d5559eedffe90aec98fdea1c49734cfeb1bb4fc38b1147059be057b64180c8d71867a93739cb27bee03af722e
-
SSDEEP
768:tdhO/poiiUcjlJInDQuH9Xqk5nWEZ5SbTDaWWI7CPW57:jw+jjgnRH9XqcnW85SbTvWIj
Malware Config
Extracted
xenorat
127.0.0.1
Xero_Legit
-
delay
5000
-
install_path
appdata
-
port
5525
-
startup_name
nothingset
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-857544305-989156968-2929034274-1000\Control Panel\International\Geo\Nation xero.exe -
Executes dropped EXE 1 IoCs
pid Process 1668 xero.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xero.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xero.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4180 wrote to memory of 1668 4180 xero.exe 87 PID 4180 wrote to memory of 1668 4180 xero.exe 87 PID 4180 wrote to memory of 1668 4180 xero.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\xero\xero.exe"C:\Users\Admin\AppData\Local\Temp\xero\xero.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Roaming\XenoManager\xero.exe"C:\Users\Admin\AppData\Roaming\XenoManager\xero.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD53b55e1134c4d41bd31da43caa2e281e3
SHA1626b6f42961606a84f55529388ba5a761f773ee0
SHA256a250d17fc5aedefe2b11a61a8702839cf47317dc36b88e5abeb789a019787c07
SHA512efb34525c6d2216569b981fdca53e0ca5123195d5559eedffe90aec98fdea1c49734cfeb1bb4fc38b1147059be057b64180c8d71867a93739cb27bee03af722e