xenorat | ab0f362333e655da8332ba89226f9ac0c90e31aa53e633097cf6f88aead1a389

Resubmissions

09-08-2024 18:10

240809-wsd7vatdpq 10

09-08-2024 18:06

240809-wpp5yaxdpa 10

09-08-2024 13:45

240809-q2hzhavera 10

Analysis

max time kernel
25s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SaturnTempSpoofer.exe
Size

181KB
MD5

0380311e496051295f02a440d4f34308
SHA1

d2b2d91ced3d0526fcb13f310bb5f7be4844b346
SHA256

ab0f362333e655da8332ba89226f9ac0c90e31aa53e633097cf6f88aead1a389
SHA512

b95a20df94c311deb080d45e1bcd7cd3f79e449041acd52bc67423adb50f49ec9e4728838f96aaec0f67d1fb9cb7403be0e445db06928434f49baac565be600e
SSDEEP

3072:UVqoCl/YgjxEufVU0TbTyDDalQlzw+jqZ91UbTK4I:UsLqdufVUNDaRW491Ub8

Score

10^/10

xenorat discovery evasion persistence rat trojan

Malware Config

Extracted

Family

xenorat

73.131.36.77

Mutex

Saturn Temp Spoofer

Attributes

install_path
appdata
port
4782
startup_name
AppWindows.exe

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 6 IoCs

pid	Process
2288	saturntempspoofer.exe
3944	icsys.icn.exe
4044	explorer.exe
952	spoolsv.exe
4928	svchost.exe
2796	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	SaturnTempSpoofer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saturntempspoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SaturnTempSpoofer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
3944	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4044	explorer.exe
4928	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1816	taskmgr.exe
Token: SeSystemProfilePrivilege	1816	taskmgr.exe
Token: SeCreateGlobalPrivilege	1816	taskmgr.exe
Token: 33	1816	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1816	taskmgr.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe
1816	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4752	SaturnTempSpoofer.exe
4752	SaturnTempSpoofer.exe
3944	icsys.icn.exe
3944	icsys.icn.exe
4044	explorer.exe
4044	explorer.exe
952	spoolsv.exe
952	spoolsv.exe
4928	svchost.exe
4928	svchost.exe
2796	spoolsv.exe
2796	spoolsv.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 2288	4752	SaturnTempSpoofer.exe	85
PID 4752 wrote to memory of 2288	4752	SaturnTempSpoofer.exe	85
PID 4752 wrote to memory of 2288	4752	SaturnTempSpoofer.exe	85
PID 4752 wrote to memory of 3944	4752	SaturnTempSpoofer.exe	87
PID 4752 wrote to memory of 3944	4752	SaturnTempSpoofer.exe	87
PID 4752 wrote to memory of 3944	4752	SaturnTempSpoofer.exe	87
PID 2288 wrote to memory of 4316	2288	saturntempspoofer.exe	88
PID 2288 wrote to memory of 4316	2288	saturntempspoofer.exe	88
PID 2288 wrote to memory of 4316	2288	saturntempspoofer.exe	88
PID 3944 wrote to memory of 4044	3944	icsys.icn.exe	90
PID 3944 wrote to memory of 4044	3944	icsys.icn.exe	90
PID 3944 wrote to memory of 4044	3944	icsys.icn.exe	90
PID 4044 wrote to memory of 952	4044	explorer.exe	91
PID 4044 wrote to memory of 952	4044	explorer.exe	91
PID 4044 wrote to memory of 952	4044	explorer.exe	91
PID 952 wrote to memory of 4928	952	spoolsv.exe	92
PID 952 wrote to memory of 4928	952	spoolsv.exe	92
PID 952 wrote to memory of 4928	952	spoolsv.exe	92
PID 4928 wrote to memory of 2796	4928	svchost.exe	93
PID 4928 wrote to memory of 2796	4928	svchost.exe	93
PID 4928 wrote to memory of 2796	4928	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\SaturnTempSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\SaturnTempSpoofer.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752
- \??\c:\users\admin\appdata\local\temp\saturntempspoofer.exe
  c:\users\admin\appdata\local\temp\saturntempspoofer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "AppWindows.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFD7.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4316
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3944
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:952
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4928
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\saturntempspoofer.exe

Filesize
46KB

MD5
601c4ed7cdaa8a844937fe5fd62a8aff

SHA1
5ad9cf4a98cff0711ef7c0ca68353161d026a783

SHA256
c1d9b0e2b4967ddeace94b452b8db110137d165c4725d3ab61ec0a8b44f27765

SHA512
17d9b61107f327da1baed79779b834e669ecc4c38515e7334cc3424d9e773966937de09dc364111af37013fcdd3b00a3cd0cfcc2950db2bb61797ee1704cd477

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFD7.tmp

Filesize
1KB

MD5
4a6533ac35b34ba35ea7fe0a37192a66

SHA1
29d3cbd1d4b9542175c17d6d4f20a5d992ae4c01

SHA256
b4eff105fd062397dd2931dd5b138323a3c7d05c9e4f630cf51a24949eb2bacb

SHA512
a356c1d8a46679a9fc2c3a14615d98c3fb4c00ac908b8f44c99a9070cb32d00c3b3eeb1700152f12a78924de79adc2de8452432e647fe0ed46baf1e065451d3d

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e447ca3775d2dab9ce4ca321fe43dddb

SHA1
33fd8a04f46330b8ee81dae8d5487047c95ccff1

SHA256
29e74f88810202c85ea9b8aea528974c0bda648232285cbc0214b3b4bcb0be17

SHA512
f336d0cb7ee7de8f25493db4b2489639f7f399ef00c101d78e2136391b7746fddb9d84de1efba201c61ca4c2f574e6a1215ad0b78bae61c59119cab294d4990a

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d6d054e7390aa12da74bd9dfaf246917

SHA1
62d73f8b9b0cae264d2036204c4c6b05f4fa88d2

SHA256
b89f7426b1d3c5293ff6d0d51f5673c4e670f15d47463461785daec6e3e98903

SHA512
66e4dedd18ad17a9df47dc553937a7048177bf439b682dddb7dcc847e48fdbd00b1e280fd9c5448fc03569c610e104e803dccd5fc0eecc2a140a298ea95f45c2

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
f3111a7220d505b194ed3ea06fe640fa

SHA1
d3936769edb45ed45e2bd9060b6837c48ba40d38

SHA256
ad2dac95d8d131c7b33118f4524c1b04d1e26533eed2be89ee4e2168eb9cbf12

SHA512
0b1f7311ad83a63f5185873b6f306f15400f31c69d2a242cdc6b6567606c63e599b28737f3378beccf3327da755b07c14bddaec0d9af08efdf77ac1d0e425865

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
90a62d666a79a59e54343b1afddd6631

SHA1
f5129a144829b4313777e4c6cab8a7364f2c6ffb

SHA256
9747820d0d69757fe27e27e0ccb6408880dd99b0b36ad44398c93d994451b1f3

SHA512
3b059ea14102d98e00fab311aef5d92f8b712260e5d53c74108fa10b688e32952e50baeb8a3b406b6dd09e92d734303f02f7c93a8fa8fa264491e72ae90f3659

Download Submit
memory/952-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/952-36-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-66-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-67-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-63-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-64-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-57-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-68-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-69-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-65-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-59-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/1816-58-0x0000028198430000-0x0000028198431000-memory.dmp

Filesize
4KB

Download
memory/2288-28-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2288-56-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/2288-55-0x00000000064F0000-0x0000000006556000-memory.dmp

Filesize
408KB

Download
memory/2288-10-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/2288-9-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/2288-70-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/2796-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3944-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-29-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4752-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4752-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download