Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
30-08-2024 23:01
General
-
Target
4D5FC0012E9F61D18E5AEA4AE43349F2.exe
-
Size
40KB
-
MD5
4d5fc0012e9f61d18e5aea4ae43349f2
-
SHA1
c0cc2d966bbffeaebde61405af31d44e9b36786e
-
SHA256
5a0886fc82bedd52f94509ce17092f6ea671e53622edf852cd7ba20901d25354
-
SHA512
2a92c27f153e80577a3adc46d872d75340a29e18782ea6c4134c0a4b81e9b886438c6012697bd55c02ecc37223ce5f089c6a6bfdba9ba25a78daa23953e61564
-
SSDEEP
768:T2QbHY3voobaXV2pUcX3H7HpUpTBVrbokrMqt23Ri:XKvxaXV2pUYzOlbrboTqt
Malware Config
Extracted
xenorat
155.138.205.64
252352366226
-
delay
15000
-
install_path
appdata
-
port
1010
-
startup_name
Updater
Signatures
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4D5FC0012E9F61D18E5AEA4AE43349F2.exe"C:\Users\Admin\AppData\Local\Temp\4D5FC0012E9F61D18E5AEA4AE43349F2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\4D5FC0012E9F61D18E5AEA4AE43349F2.exe"C:\Users\Admin\AppData\Roaming\XenoManager\4D5FC0012E9F61D18E5AEA4AE43349F2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE8B.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55d476b4954927a8bfd193c0b380ed5ab
SHA11e5c37fbcde7a67382c2ab2c1d648c96baba812b
SHA2564d0f0cd9173857b3dfdd653c39a6a868078a8b83e92233e48264abe7df04e878
SHA512fe9f24da1d2809173f6e6ec3b5d169f3c06b379a0d11702ea85b7c05f76aeb4af9c9034b25c524ff88cca975bd8cd4f4887f692fcbaa6f76e38a8513f0557441
-
Filesize
40KB
MD54d5fc0012e9f61d18e5aea4ae43349f2
SHA1c0cc2d966bbffeaebde61405af31d44e9b36786e
SHA2565a0886fc82bedd52f94509ce17092f6ea671e53622edf852cd7ba20901d25354
SHA5122a92c27f153e80577a3adc46d872d75340a29e18782ea6c4134c0a4b81e9b886438c6012697bd55c02ecc37223ce5f089c6a6bfdba9ba25a78daa23953e61564
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB