Analysis Overview
SHA256
819895f1a99faf768a9bd2e8c789d90725c2c9c3da9f446c1522907193ffe2c3
Threat Level: Known bad
The file afhvser.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 06:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 06:31
Reported
2024-08-29 06:33
Platform
win7-20240705-en
Max time kernel
147s
Max time network
136s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1356 set thread context of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | C:\Users\Admin\AppData\Local\Temp\afhvser.exe |
| PID 2692 set thread context of 2828 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\afhvser.exe
"C:\Users\Admin\AppData\Local\Temp\afhvser.exe"
C:\Users\Admin\AppData\Local\Temp\afhvser.exe
C:\Users\Admin\AppData\Local\Temp\afhvser.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "ace" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C6E.tmp" /F
Network
| Country | Destination | Domain | Proto |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp |
Files
memory/1356-0-0x000000007436E000-0x000000007436F000-memory.dmp
memory/1356-1-0x0000000000CA0000-0x0000000000D02000-memory.dmp
memory/1356-2-0x00000000002F0000-0x00000000002F6000-memory.dmp
memory/1356-3-0x00000000004F0000-0x0000000000546000-memory.dmp
memory/1356-4-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/1356-5-0x0000000000370000-0x0000000000376000-memory.dmp
memory/1272-6-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1356-12-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/1272-11-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1272-8-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1272-14-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/2692-21-0x0000000001040000-0x00000000010A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe
| MD5 | d51e11f21698000dc7834221d02d93a1 |
| SHA1 | d2a4196c36840b5eaabb9f585d504ebd8278840a |
| SHA256 | 819895f1a99faf768a9bd2e8c789d90725c2c9c3da9f446c1522907193ffe2c3 |
| SHA512 | c895c0c72f3b7bbb6bf88a366049aa833b775abf5fef6018f120975a4fb98e9866891a3f92cfd09267edbdd1fedc3e1e6b084239b15c4b6bf189ff2e81d61846 |
memory/1272-22-0x0000000074360000-0x0000000074A4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9C6E.tmp
| MD5 | df9b542895574a46efc01b67fead9cf0 |
| SHA1 | 555023d5b61d5c786d82bd9a152a1d92cf18235b |
| SHA256 | 5e990e41ed6c474363adffaa8e111fa819f137f34a821fa06b2c50d286d04659 |
| SHA512 | ac61c3ba5805da1b6a9edc100c68851d3d756233c7d6578cd50cf8d47d1a58c72b5497427594725973739ad2aa609475d7f20d1a06ef10768cf3109d1b8bf4c8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-29 06:31
Reported
2024-08-29 06:33
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3384 set thread context of 3992 | N/A | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | C:\Users\Admin\AppData\Local\Temp\afhvser.exe |
| PID 780 set thread context of 4700 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\afhvser.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\afhvser.exe
"C:\Users\Admin\AppData\Local\Temp\afhvser.exe"
C:\Users\Admin\AppData\Local\Temp\afhvser.exe
C:\Users\Admin\AppData\Local\Temp\afhvser.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe
C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "ace" /XML "C:\Users\Admin\AppData\Local\Temp\tmp863.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| NL | 45.66.231.26:1356 | tcp | |
| NL | 45.66.231.26:1356 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| NL | 45.66.231.26:1356 | tcp |
Files
memory/3384-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp
memory/3384-1-0x0000000000700000-0x0000000000762000-memory.dmp
memory/3384-2-0x0000000002B00000-0x0000000002B06000-memory.dmp
memory/3384-3-0x000000000DC70000-0x000000000DCC6000-memory.dmp
memory/3384-4-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/3384-5-0x000000000DD60000-0x000000000DDFC000-memory.dmp
memory/3384-6-0x000000000E3B0000-0x000000000E954000-memory.dmp
memory/3384-7-0x000000000DEA0000-0x000000000DF32000-memory.dmp
memory/3384-8-0x0000000002A70000-0x0000000002A76000-memory.dmp
memory/3992-9-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\afhvser.exe.log
| MD5 | d95c58e609838928f0f49837cab7dfd2 |
| SHA1 | 55e7139a1e3899195b92ed8771d1ca2c7d53c916 |
| SHA256 | 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339 |
| SHA512 | 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d |
memory/3384-14-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/3992-12-0x0000000074BF0000-0x00000000753A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\afhvser.exe
| MD5 | d51e11f21698000dc7834221d02d93a1 |
| SHA1 | d2a4196c36840b5eaabb9f585d504ebd8278840a |
| SHA256 | 819895f1a99faf768a9bd2e8c789d90725c2c9c3da9f446c1522907193ffe2c3 |
| SHA512 | c895c0c72f3b7bbb6bf88a366049aa833b775abf5fef6018f120975a4fb98e9866891a3f92cfd09267edbdd1fedc3e1e6b084239b15c4b6bf189ff2e81d61846 |
memory/3992-25-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/780-26-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/780-27-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/780-28-0x0000000005820000-0x0000000005876000-memory.dmp
memory/4700-32-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/780-31-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4700-33-0x0000000074BF0000-0x00000000753A0000-memory.dmp
memory/4700-34-0x0000000074BF0000-0x00000000753A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp863.tmp
| MD5 | df9b542895574a46efc01b67fead9cf0 |
| SHA1 | 555023d5b61d5c786d82bd9a152a1d92cf18235b |
| SHA256 | 5e990e41ed6c474363adffaa8e111fa819f137f34a821fa06b2c50d286d04659 |
| SHA512 | ac61c3ba5805da1b6a9edc100c68851d3d756233c7d6578cd50cf8d47d1a58c72b5497427594725973739ad2aa609475d7f20d1a06ef10768cf3109d1b8bf4c8 |