xenorat | ab0f362333e655da8332ba89226f9ac0c90e31aa53e633097cf6f88aead1a389

Resubmissions

09-08-2024 18:10

240809-wsd7vatdpq 10

09-08-2024 18:06

240809-wpp5yaxdpa 10

09-08-2024 13:45

240809-q2hzhavera 10

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SaturnTempSpoofer.exe
Size

181KB
MD5

0380311e496051295f02a440d4f34308
SHA1

d2b2d91ced3d0526fcb13f310bb5f7be4844b346
SHA256

ab0f362333e655da8332ba89226f9ac0c90e31aa53e633097cf6f88aead1a389
SHA512

b95a20df94c311deb080d45e1bcd7cd3f79e449041acd52bc67423adb50f49ec9e4728838f96aaec0f67d1fb9cb7403be0e445db06928434f49baac565be600e
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalQlzw+jqZ91UbTK4I:UsLqdufVUNDaRW491Ub8

Score

10^/10

xenorat discovery evasion persistence rat trojan

Malware Config

Extracted

Family

xenorat

73.131.36.77

Mutex

Saturn Temp Spoofer

Attributes

install_path
appdata
port
4782
startup_name
AppWindows.exe

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 6 IoCs

pid	Process
2160	saturntempspoofer.exe
2536	icsys.icn.exe
2252	explorer.exe
2876	spoolsv.exe
2492	svchost.exe
2864	spoolsv.exe

Loads dropped DLL 6 IoCs

pid	Process
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2536	icsys.icn.exe
2252	explorer.exe
2876	spoolsv.exe
2492	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	SaturnTempSpoofer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saturntempspoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SaturnTempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2608	schtasks.exe
2440	schtasks.exe
1716	schtasks.exe
2452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe
2492	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2252	explorer.exe
2492	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2680	SaturnTempSpoofer.exe
2680	SaturnTempSpoofer.exe
2536	icsys.icn.exe
2536	icsys.icn.exe
2252	explorer.exe
2252	explorer.exe
2876	spoolsv.exe
2876	spoolsv.exe
2492	svchost.exe
2492	svchost.exe
2864	spoolsv.exe
2864	spoolsv.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2160	2680	SaturnTempSpoofer.exe	30
PID 2680 wrote to memory of 2160	2680	SaturnTempSpoofer.exe	30
PID 2680 wrote to memory of 2160	2680	SaturnTempSpoofer.exe	30
PID 2680 wrote to memory of 2160	2680	SaturnTempSpoofer.exe	30
PID 2680 wrote to memory of 2536	2680	SaturnTempSpoofer.exe	31
PID 2680 wrote to memory of 2536	2680	SaturnTempSpoofer.exe	31
PID 2680 wrote to memory of 2536	2680	SaturnTempSpoofer.exe	31
PID 2680 wrote to memory of 2536	2680	SaturnTempSpoofer.exe	31
PID 2160 wrote to memory of 2452	2160	saturntempspoofer.exe	32
PID 2160 wrote to memory of 2452	2160	saturntempspoofer.exe	32
PID 2160 wrote to memory of 2452	2160	saturntempspoofer.exe	32
PID 2160 wrote to memory of 2452	2160	saturntempspoofer.exe	32
PID 2536 wrote to memory of 2252	2536	icsys.icn.exe	33
PID 2536 wrote to memory of 2252	2536	icsys.icn.exe	33
PID 2536 wrote to memory of 2252	2536	icsys.icn.exe	33
PID 2536 wrote to memory of 2252	2536	icsys.icn.exe	33
PID 2252 wrote to memory of 2876	2252	explorer.exe	35
PID 2252 wrote to memory of 2876	2252	explorer.exe	35
PID 2252 wrote to memory of 2876	2252	explorer.exe	35
PID 2252 wrote to memory of 2876	2252	explorer.exe	35
PID 2876 wrote to memory of 2492	2876	spoolsv.exe	36
PID 2876 wrote to memory of 2492	2876	spoolsv.exe	36
PID 2876 wrote to memory of 2492	2876	spoolsv.exe	36
PID 2876 wrote to memory of 2492	2876	spoolsv.exe	36
PID 2492 wrote to memory of 2864	2492	svchost.exe	37
PID 2492 wrote to memory of 2864	2492	svchost.exe	37
PID 2492 wrote to memory of 2864	2492	svchost.exe	37
PID 2492 wrote to memory of 2864	2492	svchost.exe	37
PID 2252 wrote to memory of 2772	2252	explorer.exe	38
PID 2252 wrote to memory of 2772	2252	explorer.exe	38
PID 2252 wrote to memory of 2772	2252	explorer.exe	38
PID 2252 wrote to memory of 2772	2252	explorer.exe	38
PID 2492 wrote to memory of 2608	2492	svchost.exe	39
PID 2492 wrote to memory of 2608	2492	svchost.exe	39
PID 2492 wrote to memory of 2608	2492	svchost.exe	39
PID 2492 wrote to memory of 2608	2492	svchost.exe	39
PID 2492 wrote to memory of 2440	2492	svchost.exe	44
PID 2492 wrote to memory of 2440	2492	svchost.exe	44
PID 2492 wrote to memory of 2440	2492	svchost.exe	44
PID 2492 wrote to memory of 2440	2492	svchost.exe	44
PID 2492 wrote to memory of 1716	2492	svchost.exe	46
PID 2492 wrote to memory of 1716	2492	svchost.exe	46
PID 2492 wrote to memory of 1716	2492	svchost.exe	46
PID 2492 wrote to memory of 1716	2492	svchost.exe	46

C:\Users\Admin\AppData\Local\Temp\SaturnTempSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SaturnTempSpoofer.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- \??\c:\users\admin\appdata\local\temp\saturntempspoofer.exe
  c:\users\admin\appdata\local\temp\saturntempspoofer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "AppWindows.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB895.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2452
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2536
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2876
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2864
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:47 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:48 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2440
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 13:49 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1716
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB895.tmp

Filesize
1KB

MD5
4a6533ac35b34ba35ea7fe0a37192a66

SHA1
29d3cbd1d4b9542175c17d6d4f20a5d992ae4c01

SHA256
b4eff105fd062397dd2931dd5b138323a3c7d05c9e4f630cf51a24949eb2bacb

SHA512
a356c1d8a46679a9fc2c3a14615d98c3fb4c00ac908b8f44c99a9070cb32d00c3b3eeb1700152f12a78924de79adc2de8452432e647fe0ed46baf1e065451d3d

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
f89d3510413171cab1c62ab12753b96e

SHA1
f8dd1635f0bab3f8ea462dc5c865e16306bf7b2d

SHA256
5ac34e40aeab3790438f1f9f3a383d3450d89a769efe770035d7b298ac8ecb3d

SHA512
8e4470348238eaa75356c048d463c91d732a7d1c1413bb65c358f828a754023ace53e73932b75ae3a95a352114886e199065d7541a6f4b0f7705023941566765

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d6d054e7390aa12da74bd9dfaf246917

SHA1
62d73f8b9b0cae264d2036204c4c6b05f4fa88d2

SHA256
b89f7426b1d3c5293ff6d0d51f5673c4e670f15d47463461785daec6e3e98903

SHA512
66e4dedd18ad17a9df47dc553937a7048177bf439b682dddb7dcc847e48fdbd00b1e280fd9c5448fc03569c610e104e803dccd5fc0eecc2a140a298ea95f45c2

Download Submit
\Users\Admin\AppData\Local\Temp\saturntempspoofer.exe

Filesize
46KB

MD5
601c4ed7cdaa8a844937fe5fd62a8aff

SHA1
5ad9cf4a98cff0711ef7c0ca68353161d026a783

SHA256
c1d9b0e2b4967ddeace94b452b8db110137d165c4725d3ab61ec0a8b44f27765

SHA512
17d9b61107f327da1baed79779b834e669ecc4c38515e7334cc3424d9e773966937de09dc364111af37013fcdd3b00a3cd0cfcc2950db2bb61797ee1704cd477

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
d5c99ad1c03d438fd3b965dd8ec4547a

SHA1
84cf71db2abbf351fd5cc238685e6277efdc2044

SHA256
1147bcd89213529999f4253ed070a39db6dbcc39729c5b9a596bdbfb7b1561e2

SHA512
43878837dfaa09b2eef6f2f19346996faaa1b7c1be0f0757fd54277ae83d6c61fc2037cb1ad1445d58a345a7d072943840a86813a0abf4ffb71434fde32ca843

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
962634f49823afa2f2fbb0eff1ed48b8

SHA1
38cd7a3ae250066d4e483d6385811e77c4392612

SHA256
7056f3939531514013776bb73a5fd081589588d92770aa50881aaa9a8e302771

SHA512
96160bb28936591d5579f5fda47696ea5dddb176a81027c3938d07a43bb7c88045eb6b062358cf2988032d540dd1754dbc040637f2d6912f84477bf08333af4b

Download Submit
memory/2160-12-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2160-68-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-11-0x00000000740EE000-0x00000000740EF000-memory.dmp

Filesize
4KB

Download
memory/2160-67-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/2252-39-0x00000000003B0000-0x00000000003CF000-memory.dmp

Filesize
124KB

Download
memory/2536-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2536-30-0x00000000004B0000-0x00000000004CF000-memory.dmp

Filesize
124KB

Download
memory/2680-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2680-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2680-18-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2864-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2876-53-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download