Analysis Overview
SHA256
8134112787a6bc8495d55a81f935b8ac3292b221f61aad14ee94c1f86d2572c9
Threat Level: Known bad
The file 0ecb6966a5dc7138bd15bde42ed8afb0N.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 14:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 14:54
Reported
2024-08-19 14:57
Platform
win7-20240705-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2040 set thread context of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe |
| PID 2040 set thread context of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe |
| PID 2856 set thread context of 2684 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe |
| PID 2856 set thread context of 2676 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
"C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "ace" /XML "C:\Users\Admin\AppData\Local\Temp\tmp168.tmp" /F
Network
| Country | Destination | Domain | Proto |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp |
Files
memory/2040-0-0x000000007459E000-0x000000007459F000-memory.dmp
memory/2040-1-0x00000000000E0000-0x0000000000124000-memory.dmp
memory/2040-2-0x0000000000310000-0x0000000000316000-memory.dmp
memory/2040-3-0x0000000074590000-0x0000000074C7E000-memory.dmp
memory/2040-4-0x0000000000560000-0x000000000059C000-memory.dmp
memory/2040-5-0x0000000000450000-0x0000000000456000-memory.dmp
memory/2280-7-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2280-12-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2280-9-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2280-15-0x0000000074590000-0x0000000074C7E000-memory.dmp
memory/2040-14-0x0000000074590000-0x0000000074C7E000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
| MD5 | 0ecb6966a5dc7138bd15bde42ed8afb0 |
| SHA1 | a9fb9c5d41775f19bb298d9cc07fbc67ec83c4ca |
| SHA256 | 8134112787a6bc8495d55a81f935b8ac3292b221f61aad14ee94c1f86d2572c9 |
| SHA512 | bd5e9c0a9e675ce4881db3ec6ecf17f323a1d72eb31c7d84532086b95965fd8aa1a87520eee284379ceb767d29803ed3e94b7e76d3da011a936cdb264b6140db |
memory/2856-22-0x0000000000130000-0x0000000000174000-memory.dmp
memory/2280-23-0x0000000074590000-0x0000000074C7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp168.tmp
| MD5 | 58e6bbdbd2c03841b9a8b06980f30da7 |
| SHA1 | eeb7641bb206e1ff4c7ed75fcf21e600a0cbde1d |
| SHA256 | 74abca5202eeac16ca9d153ad201f55ef9ce85a9a72992eac02e7f54f9147659 |
| SHA512 | b604c3f6af62e08e60c1a46191b5f0421796614c929eaf61a3fb8497f298c26461d6adcafe387a848a772a82f7f752184448f1e0aceb7317086218f89b90ec27 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 14:54
Reported
2024-08-19 14:57
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4848 set thread context of 3628 | N/A | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe |
| PID 4848 set thread context of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe |
| PID 4708 set thread context of 4440 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe |
| PID 4708 set thread context of 4304 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
"C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Local\Temp\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "ace" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5176.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 45.66.231.26:1356 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 45.66.231.26:1356 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp |
Files
memory/4848-0-0x000000007522E000-0x000000007522F000-memory.dmp
memory/4848-1-0x00000000006D0000-0x0000000000714000-memory.dmp
memory/4848-2-0x0000000005040000-0x0000000005046000-memory.dmp
memory/4848-3-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/4848-4-0x00000000050F0000-0x000000000512C000-memory.dmp
memory/4848-5-0x000000000DD70000-0x000000000DE0C000-memory.dmp
memory/4848-6-0x000000000E3C0000-0x000000000E964000-memory.dmp
memory/4848-7-0x000000000DE10000-0x000000000DEA2000-memory.dmp
memory/4848-8-0x0000000002A10000-0x0000000002A16000-memory.dmp
memory/3628-9-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0ecb6966a5dc7138bd15bde42ed8afb0N.exe.log
| MD5 | d95c58e609838928f0f49837cab7dfd2 |
| SHA1 | 55e7139a1e3899195b92ed8771d1ca2c7d53c916 |
| SHA256 | 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339 |
| SHA512 | 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d |
memory/3628-14-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/2508-16-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/4848-15-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/2508-17-0x0000000075220000-0x00000000759D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\0ecb6966a5dc7138bd15bde42ed8afb0N.exe
| MD5 | 0ecb6966a5dc7138bd15bde42ed8afb0 |
| SHA1 | a9fb9c5d41775f19bb298d9cc07fbc67ec83c4ca |
| SHA256 | 8134112787a6bc8495d55a81f935b8ac3292b221f61aad14ee94c1f86d2572c9 |
| SHA512 | bd5e9c0a9e675ce4881db3ec6ecf17f323a1d72eb31c7d84532086b95965fd8aa1a87520eee284379ceb767d29803ed3e94b7e76d3da011a936cdb264b6140db |
memory/3628-29-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/4708-28-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/4708-34-0x0000000075220000-0x00000000759D0000-memory.dmp
memory/2508-35-0x0000000075220000-0x00000000759D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5176.tmp
| MD5 | 4709b3c4e44618aa0e9f4e74cc0a5d70 |
| SHA1 | 27a34945f5a2e2e4b7cffd048f6f48e67d1b2cb2 |
| SHA256 | c6b2e616991e91b4db617474617d3085e7394150ddaa7ef332c89bf1b8172021 |
| SHA512 | 41c343928c4e336baa51b10f589442946145246de1743ecdba4a7ff4cdc70852f208b01ccd24a116a6a59e6f56078c1b8ec2f3e3fd6c3a10e72238919aceff17 |