Overview

overview

10

Static

static

10

cnidc.exe

windows7-x64

10

cnidc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    71s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-08-2024 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cnidc.exe

  • Size

    45KB

  • MD5

    80988e2faaee97ee38873d13914e2c68

  • SHA1

    cd2465aeeff61d78974f66ebce023cb294d95116

  • SHA256

    97cfaaa4661e1fc410fc150bc0b03ae35a64558afe7c83a2435ad0724cbace14

  • SHA512

    ed45da0660f1c72ea5fa7452030adc9c77459df681ac2c3d3410fa444c8aea4c43e2399281f6156d90d7f3b31e1b007f39ad6137d607ae37ceb7b5d5b423956b

  • SSDEEP

    768:SdhO/poiiUcjlJInglH9Xqk5nWEZ5SbTDacWI7CPW5h:0w+jjgnQH9XqcnW85SbTVWI5

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    temp

  • port

    4444

  • startup_name

    hi

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cnidc.exe
    "C:\Users\Admin\AppData\Local\Temp\cnidc.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\cnidc.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\cnidc.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "hi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2848
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1124
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84400cc40,0x7ff84400cc4c,0x7ff84400cc58
      2⤵
        PID:2716
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,17851100785156837873,7027587873009881281,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1896 /prefetch:2
        2⤵
          PID:1932
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,17851100785156837873,7027587873009881281,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2420 /prefetch:3
          2⤵
            PID:3000
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,17851100785156837873,7027587873009881281,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2464 /prefetch:8
            2⤵
              PID:3096
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,17851100785156837873,7027587873009881281,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3200 /prefetch:1
              2⤵
                PID:1256
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3432,i,17851100785156837873,7027587873009881281,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3452 /prefetch:1
                2⤵
                  PID:3132
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3712,i,17851100785156837873,7027587873009881281,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3748 /prefetch:1
                  2⤵
                    PID:1108
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,17851100785156837873,7027587873009881281,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4848 /prefetch:8
                    2⤵
                      PID:1572
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,17851100785156837873,7027587873009881281,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4848 /prefetch:8
                      2⤵
                        PID:1836
                    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                      1⤵
                        PID:2680
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                        1⤵
                          PID:1864

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\43fe3d72-3d03-4bff-bc32-2857827d3222.tmp
                          Filesize

                          194KB

                          MD5

                          e3e76076bce56318c4678cf6eb4b74c4

                          SHA1

                          65407fafcfba5f72122c4a0cda87034255007925

                          SHA256

                          53de037aae2c18f24925dfc1bf6f185c46dea3cc69f3a98543d1b3e98a846daa

                          SHA512

                          57013fceec2d89f2c9247e4f5fffd521181d7ef8a0fa603808e35ae08931616a19fc2ed2eff36edf5d24dec27b6b22735e7b8ec90434d110888b4f6d59edf183

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                          Filesize

                          649B

                          MD5

                          75eee54b6ced099c8b70156431364f77

                          SHA1

                          43cbf2893625968196396388d1d68ddf6669bc09

                          SHA256

                          8406e9392a28f448277062d52b59687b552826c3cef42b297525ceb0404f7599

                          SHA512

                          852af7bc75280426127e3ce5f221ab3f3c793fb6f0e175ab001af76bd28f33ad79c9bdd276aa250a6e9a7aa8f81c9d263b5c8918cd0fe5af7f154faa1202a4a0

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                          Filesize

                          1KB

                          MD5

                          5b3b003273093367c5299294079dd31c

                          SHA1

                          7f4c870d63c1ab7cb856f2c4d1ab199099c04f1d

                          SHA256

                          dbb1cbc7aa613a936dc9001b2d1e2dbcab730e1847a68923eb25bcb33332fa67

                          SHA512

                          9d743e3f9312282226f956914e8e275b9abcdae1f16941b82479dbe5e4c5ad110f640bf0fd966305535628b101f4c860aaf97e226651b46af9407ef46a31c31e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                          Filesize

                          354B

                          MD5

                          0990647524619f241b1307af1645c08c

                          SHA1

                          84a2cee0267ac83e3412d13c935da0fedaa56ae4

                          SHA256

                          a44774943a8cd4d596d6ccc5097b1722081563fadb565945d2bec68887e60c2b

                          SHA512

                          f90d1feff1f8beef1a646e822697b2dc7866eca469e4fca70f4a80d553ed916c69317a01985e609111d86df494fd2722c4cf38a2ca7eb4b407ac99b07d629eec

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                          Filesize

                          8KB

                          MD5

                          a61280e5913c3063175ffe50960fd09d

                          SHA1

                          0d9860b8f5f140b508c5053e057ecfa54a9e76d6

                          SHA256

                          8c9bf1dc9ed6c5f850e11c777404ca0317e3b9afd4160fdf447c537869ff5728

                          SHA512

                          744a99eedaf2fc48e783ca4291797ca0f952b62467866ada1a5aaf7d6a8880d484de76e54cb98a5518ff7d912e32bda52349c3744b470fa2f3ceb82b5d7946d6

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                          Filesize

                          15KB

                          MD5

                          375b93ad9ecd317ed1dabfe878229785

                          SHA1

                          d8e0eca47d048b5704743272deb6e8f66ec69644

                          SHA256

                          aee882b4b54fe8c7856ac806210de0628c6d8393b47c2a42967564d5cef0ea5a

                          SHA512

                          53b4dff87e9d68eebb0e266130eb63d0537fb780bd6cdf8d5ccdb2d5456ca5a1fa5397f57d178e4b32b19e03d500aba439d9566445a6512856acb461a770f237

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                          Filesize

                          194KB

                          MD5

                          4d86992895568b25dfaa2e2896dc4044

                          SHA1

                          24eaf41e79d507e970012d0665d5ced3d926235f

                          SHA256

                          418a0e2242aa73ee63dfc7e850e65a40503e97ec84efc5653c20d5b892da85a7

                          SHA512

                          57a60edbf7454d101ea59e6eaf13bdf3912b6d8cc31c8617a27e60b2c273ae22206e8cb93973d2b06cd80e7c5ee6d9f81e8bfe761dc7c6d8904534801cb5945d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
                          Filesize

                          264KB

                          MD5

                          f50f89a0a91564d0b8a211f8921aa7de

                          SHA1

                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                          SHA256

                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                          SHA512

                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cnidc.exe.log
                          Filesize

                          226B

                          MD5

                          916851e072fbabc4796d8916c5131092

                          SHA1

                          d48a602229a690c512d5fdaf4c8d77547a88e7a2

                          SHA256

                          7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

                          SHA512

                          07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\XenoManager\cnidc.exe
                          Filesize

                          45KB

                          MD5

                          80988e2faaee97ee38873d13914e2c68

                          SHA1

                          cd2465aeeff61d78974f66ebce023cb294d95116

                          SHA256

                          97cfaaa4661e1fc410fc150bc0b03ae35a64558afe7c83a2435ad0724cbace14

                          SHA512

                          ed45da0660f1c72ea5fa7452030adc9c77459df681ac2c3d3410fa444c8aea4c43e2399281f6156d90d7f3b31e1b007f39ad6137d607ae37ceb7b5d5b423956b

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\tmp99EE.tmp
                          Filesize

                          1KB

                          MD5

                          51341935fdd22e880b0e8956566cb07d

                          SHA1

                          c9c0115a2b59a5477d5750c1d7816342b49108b9

                          SHA256

                          24949c5837ba14e03371d9a4ac98e977ee91fe81079779a5983773fd37f8141f

                          SHA512

                          4e99ec4b0164b11589651804edac1c6dcddbcc394e797b2d75be061d371dd75f3823c5d73bfa0510dab9697e9b8b35a28b0a163fa2d747b9d7a43799a1fb2b42

                          Download Submit

                        • memory/1124-29-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-32-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-28-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-27-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-26-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-30-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-31-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-20-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-22-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1124-21-0x0000026317960000-0x0000026317961000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4780-19-0x00000000749A0000-0x0000000075150000-memory.dmp

                          Filesize

                          7.7MB

                          Download

                        • memory/4780-18-0x00000000749A0000-0x0000000075150000-memory.dmp

                          Filesize

                          7.7MB

                          Download

                        • memory/4780-15-0x00000000749A0000-0x0000000075150000-memory.dmp

                          Filesize

                          7.7MB

                          Download

                        • memory/5112-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/5112-1-0x00000000006A0000-0x00000000006B2000-memory.dmp

                          Filesize

                          72KB

                          Download