Malware Analysis Report

2024-10-19 07:50

Sample ID 240813-rn2ecsybph
Target Release (1).zip
SHA256 e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd
Tags
xenorat discovery rat trojan credential_access spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

Threat Level: Known bad

The file Release (1).zip was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan credential_access spyware stealer

XenorRat

Xenorat family

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 14:21

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

234s

Max time network

265s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\ScreenControl.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\ScreenControl.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

168s

Max time network

207s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\SystemPower.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\SystemPower.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

178s

Max time network

193s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Uacbypass.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Uacbypass.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

157s

Max time network

281s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\WebCam.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\WebCam.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

226s

Max time network

207s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\KeyLoggerOffline.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\KeyLoggerOffline.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

164s

Max time network

286s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\plugins\Registry Manager.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\plugins\Registry Manager.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

242s

Max time network

205s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Hvnc.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Hvnc.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

157s

Max time network

205s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\InfoGrab.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\InfoGrab.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

225s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\LiveMicrophone.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\LiveMicrophone.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

160s

Max time network

277s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\ProcessManager.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\ProcessManager.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

161s

Max time network

205s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\ReverseProxy.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\ReverseProxy.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

158s

Max time network

275s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Startup.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Startup.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

152s

Max time network

295s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\plugins\File manager.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\plugins\File manager.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

291s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stub\xeno rat client.exe"

Signatures

XenorRat

trojan rat xenorat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\stub\xeno rat client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stub\xeno rat client.exe

"C:\Users\Admin\AppData\Local\Temp\stub\xeno rat client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
N/A 127.0.0.1:1234 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
N/A 127.0.0.1:1234 tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp
N/A 127.0.0.1:1234 tcp

Files

memory/3500-0-0x000000007511E000-0x000000007511F000-memory.dmp

memory/3500-1-0x0000000000C20000-0x0000000000C32000-memory.dmp

memory/3500-2-0x0000000075110000-0x00000000758C0000-memory.dmp

memory/3500-3-0x000000007511E000-0x000000007511F000-memory.dmp

memory/3500-4-0x0000000075110000-0x00000000758C0000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

300s

Max time network

208s

Command Line

"C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe"

Signatures

XenorRat

trojan rat xenorat

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\die.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\die.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\die.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\die.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\die.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\die.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings\Shell\Open\command C:\Users\Admin\Desktop\die.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7e003100000000000259966d11004465736b746f7000680009000400efbe025984630259966d2e0000008ae101000000010000000000000000003e0000000000f205d6004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings\Shell C:\Users\Admin\Desktop\die.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings C:\Users\Admin\Desktop\die.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings\Shell\Open C:\Users\Admin\Desktop\die.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000025984631100557365727300640009000400efbe874f77480d59d4722e000000c70500000000010000000000000000003a000000000051291b0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings\Shell C:\Users\Admin\Desktop\die.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings\Shell\Open\command C:\Users\Admin\Desktop\die.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute C:\Users\Admin\Desktop\die.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings\Shell\Open\command\ = "\"C:\\Users\\Admin\\Desktop\\die.exe\"" C:\Users\Admin\Desktop\die.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings\Shell\Open C:\Users\Admin\Desktop\die.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\ms-settings C:\Users\Admin\Desktop\die.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000000259396e100041646d696e003c0009000400efbe025984630d59d4722e00000080e10100000001000000000000000000000000000000172aae00410064006d0069006e00000014000000 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\Desktop\die.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\die.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\die.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\die.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 116 N/A C:\Users\Admin\Desktop\die.exe C:\Users\Admin\AppData\Roaming\XenoManager\die.exe
PID 1612 wrote to memory of 116 N/A C:\Users\Admin\Desktop\die.exe C:\Users\Admin\AppData\Roaming\XenoManager\die.exe
PID 1612 wrote to memory of 116 N/A C:\Users\Admin\Desktop\die.exe C:\Users\Admin\AppData\Roaming\XenoManager\die.exe
PID 116 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 116 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 116 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\XenoManager\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 3568 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 3568 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 3568 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 4840 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SYSTEM32\cmd.exe
PID 2120 wrote to memory of 4840 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SYSTEM32\cmd.exe
PID 4840 wrote to memory of 4132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\fodhelper.exe
PID 4840 wrote to memory of 4132 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\fodhelper.exe
PID 4132 wrote to memory of 4944 N/A C:\Windows\system32\fodhelper.exe C:\Users\Admin\Desktop\die.exe
PID 4132 wrote to memory of 4944 N/A C:\Windows\system32\fodhelper.exe C:\Users\Admin\Desktop\die.exe
PID 4132 wrote to memory of 4944 N/A C:\Windows\system32\fodhelper.exe C:\Users\Admin\Desktop\die.exe
PID 4944 wrote to memory of 3048 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 3048 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 3048 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 4184 N/A C:\Users\Admin\Desktop\die.exe C:\Users\Admin\Desktop\die.exe
PID 2120 wrote to memory of 4184 N/A C:\Users\Admin\Desktop\die.exe C:\Users\Admin\Desktop\die.exe
PID 2120 wrote to memory of 4184 N/A C:\Users\Admin\Desktop\die.exe C:\Users\Admin\Desktop\die.exe
PID 4184 wrote to memory of 3384 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 4184 wrote to memory of 3384 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe
PID 4184 wrote to memory of 3384 N/A C:\Users\Admin\Desktop\die.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe

"C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe"

C:\Users\Admin\Desktop\die.exe

"C:\Users\Admin\Desktop\die.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\die.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\die.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp43C6.tmp" /F

C:\Users\Admin\Desktop\die.exe

"C:\Users\Admin\Desktop\die.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp" /F

C:\Windows\SYSTEM32\cmd.exe

cmd /c start "" "%windir%\system32\fodhelper.exe"

C:\Windows\system32\fodhelper.exe

"C:\Windows\system32\fodhelper.exe"

C:\Users\Admin\Desktop\die.exe

"C:\Users\Admin\Desktop\die.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB387.tmp" /F

C:\Users\Admin\Desktop\die.exe

"C:\Users\Admin\Desktop\die.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD93F.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp
N/A 127.0.0.1:8888 tcp

Files

memory/3880-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/3880-1-0x0000000000320000-0x0000000000522000-memory.dmp

memory/3880-2-0x0000000005670000-0x0000000005C14000-memory.dmp

memory/3880-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp

memory/3880-4-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

memory/3880-5-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3880-6-0x0000000005620000-0x0000000005634000-memory.dmp

memory/3880-7-0x0000000007A00000-0x0000000007A1A000-memory.dmp

memory/3880-8-0x0000000007A20000-0x0000000007A32000-memory.dmp

memory/3880-9-0x0000000009920000-0x0000000009942000-memory.dmp

memory/3880-10-0x0000000009B00000-0x0000000009BB2000-memory.dmp

memory/3880-11-0x0000000007A80000-0x0000000007DD4000-memory.dmp

memory/3880-13-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3880-15-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/3880-16-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3880-18-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3880-21-0x0000000000B50000-0x0000000000C74000-memory.dmp

memory/3880-22-0x0000000000C90000-0x0000000000CAA000-memory.dmp

C:\Users\Admin\Desktop\die.exe

MD5 facf67d96edad6ea939bdcbc104fab68
SHA1 33f02dfe3b6593bcc5dca7d48b2519d0e34b3a14
SHA256 3c7e514191f1576bd8fcb8e150d46a4cf3426477a078c9c266cc59b41cd1917c
SHA512 a9a490a5ee75b556aff3313858b603c6a2f975efb18ccc5198d0174c355b50f44ed3001932ae0561cb330ad76540fcfd3046018fa381474fc50aaec7bbafe5a9

memory/1612-34-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

memory/1612-36-0x0000000074A00000-0x00000000751B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\die.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1612-49-0x0000000074A00000-0x00000000751B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp43C6.tmp

MD5 e74313e3560514e08520bf3e68c8f022
SHA1 7aa0b9c044970e0c62fdefd3f0a68fd16455cf44
SHA256 eb4e925135a76337f45795562600d60868c9d1f70baaea0fed7d0e136dfc3dd1
SHA512 7d6a821c227227ac50faeeff4a194ac10780c667877028024d8b0563e838a14c23ff7565c2189bb2d19d2945ab9947aceede4c8860b48d8b33b7eef46917fe71

memory/116-52-0x0000000006190000-0x00000000061F6000-memory.dmp

memory/3880-54-0x000000000C1A0000-0x000000000C1B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp66DE.tmp

MD5 2e5ac93d4c8858833080baa5bd7918ec
SHA1 feecb7c588f9f731ff749752c5103f34257a780d
SHA256 1a140e864da2ef3de5017299a798f4b3fadf94d72348fa8c3fb389813378212e
SHA512 432afebd234058311c51e8c50141b9b9eddb229ce1990a4b65c399c193ecb01f89a32e2d5c9eb274fa1fae7141250a500cc6acf0e9b1192e00991b3cb61bf95e

memory/2120-57-0x0000000005CB0000-0x0000000005CBC000-memory.dmp

memory/2120-64-0x0000000006310000-0x0000000006322000-memory.dmp

memory/2120-65-0x0000000000F20000-0x0000000000F2A000-memory.dmp

memory/4184-66-0x00000000015C0000-0x00000000015D2000-memory.dmp

memory/4184-67-0x00000000067C0000-0x00000000068BA000-memory.dmp

memory/4184-68-0x0000000006A90000-0x0000000006C52000-memory.dmp

memory/4184-69-0x0000000006910000-0x0000000006960000-memory.dmp

memory/4184-70-0x00000000069E0000-0x0000000006A56000-memory.dmp

memory/4184-71-0x0000000007190000-0x00000000076BC000-memory.dmp

memory/4184-72-0x0000000006C90000-0x0000000006CAE000-memory.dmp

memory/4184-74-0x0000000006E60000-0x0000000006EFC000-memory.dmp

memory/4184-95-0x0000000006740000-0x000000000674A000-memory.dmp

memory/4184-96-0x0000000006750000-0x000000000675A000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

163s

Max time network

193s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\KeyLogger.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\KeyLogger.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

205s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Shell.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Shell.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

135s

Max time network

176s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Chat.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Chat.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-13 14:21

Reported

2024-08-13 14:27

Platform

win10v2004-20240802-en

Max time kernel

205s

Max time network

204s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Fun.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\plugins\Fun.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A