xenorat | 653c1d8dcf05123679cd3cf2ccebfa8198ce93b874c0cc3f3797bd6a0ea1d137

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 13:37 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

45KB
MD5

5ac18db0e217e974438a60c43f13d219
SHA1

f6c13147f52ac94e619640c4389b792de48ebd62
SHA256

653c1d8dcf05123679cd3cf2ccebfa8198ce93b874c0cc3f3797bd6a0ea1d137
SHA512

a1a938d673ea0053f3c8641c4cfeff1a8b15ea47afba9b752e545df8a1061be2916221fee23f0ec324b46b16a68e1c71e36002b7ccfcd127f5a5ec2e44f15ef6
SSDEEP

768:idhO/poiiUcjlJInEbqmH9Xqk5nWEZ5SbTDapWI7CPW5U:Ew+jjgnmH9XqcnW85SbTYWIM

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

TESTRAT

Attributes

delay
5000
install_path
temp
port
4444
startup_name
MicrosoftEdgeUpdate

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
2116	test.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2116	2072	test.exe	30
PID 2072 wrote to memory of 2116	2072	test.exe	30
PID 2072 wrote to memory of 2116	2072	test.exe	30
PID 2072 wrote to memory of 2116	2072	test.exe	30
PID 2116 wrote to memory of 2808	2116	test.exe	31
PID 2116 wrote to memory of 2808	2116	test.exe	31
PID 2116 wrote to memory of 2808	2116	test.exe	31
PID 2116 wrote to memory of 2808	2116	test.exe	31

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\XenoManager\test.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\test.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "MicrosoftEdgeUpdate" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9702.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2808

Network

No results found

127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe
127.0.0.1:4444

test.exe

No results found

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9702.tmp

Filesize
1KB

MD5
0f42c05ccc932838854739d54739ddbc

SHA1
ce66afb8df9b580876f2d6ae5de1946122bf8642

SHA256
2f77bb1e8ba05909080131673a6901569a63a493d635efe1b50789aedb3f2a2b

SHA512
8c42979aa25464707f77c546ecca76a8a7fa3bb6c6e89bf5a9d239907fc76404450fb89e32dfa7e12154b5142c8db98849705b641cb52500da5a442a7195dfd4

Download Submit
\Users\Admin\AppData\Local\Temp\XenoManager\test.exe

Filesize
45KB

MD5
5ac18db0e217e974438a60c43f13d219

SHA1
f6c13147f52ac94e619640c4389b792de48ebd62

SHA256
653c1d8dcf05123679cd3cf2ccebfa8198ce93b874c0cc3f3797bd6a0ea1d137

SHA512
a1a938d673ea0053f3c8641c4cfeff1a8b15ea47afba9b752e545df8a1061be2916221fee23f0ec324b46b16a68e1c71e36002b7ccfcd127f5a5ec2e44f15ef6

Download Submit
memory/2072-0-0x000000007435E000-0x000000007435F000-memory.dmp

Filesize
4KB

Download
memory/2072-1-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/2116-9-0x0000000000F30000-0x0000000000F42000-memory.dmp

Filesize
72KB

Download
memory/2116-10-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-13-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-14-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-15-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.