Overview

overview

10

Static

static

3

aimware_external.exe

windows10-2004-x64

10

Resubmissions

30-08-2024 09:44

240830-lqsx4syfnr 10

12-08-2024 19:19

240812-x1vp8swalk 10

Analysis

  • max time kernel
    90s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aimware_external.exe

  • Size

    1.1MB

  • MD5

    f3726ec3f03283f95e814d084a2769be

  • SHA1

    44afeb86f4d8bfdd8cf49843fc79dc5c5f3d5cb8

  • SHA256

    20f245865bcfc518bf44fa8b1bbfa3c91724ed003d65c5002f9823deddad6d6c

  • SHA512

    93cb5e28494193f0bec93877bfbefda33b71a61fb3d113e20e3f3bf905bc7b530e057218d6ba52c03e13054471c9e8de00e24ecea4747550e209993562d9b29c

  • SSDEEP

    24576:Rc7LqjkLHKx9JYjdK/UmJcgzILePcmVsT+2aicZRDTM1/DEf:RcCkHKxQm9fcmV4+jNZRDsLg

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

147.185.221.21

Mutex

nd8912d

Attributes
  • delay

    3000

  • install_path

    appdata

  • port

    6663

  • startup_name

    svchost.exe

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 63 IoCs
  • Suspicious use of SendNotifyMessage 62 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aimware_external.exe
    "C:\Users\Admin\AppData\Local\Temp\aimware_external.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Roaming\XenoManager\aimware_external.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\aimware_external.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp882.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3464
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1012,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
    1⤵
      PID:736
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3968
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:876

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aimware_external.exe.log
        Filesize

        226B

        MD5

        916851e072fbabc4796d8916c5131092

        SHA1

        d48a602229a690c512d5fdaf4c8d77547a88e7a2

        SHA256

        7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

        SHA512

        07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp882.tmp
        Filesize

        1KB

        MD5

        ade2f76cf60ab21525613c520968ba41

        SHA1

        78ed066a74d588210e54961257b0230042e7b677

        SHA256

        2c9717fc12ed82542da3863e0e43dbe7b71862c7cca9419312539b0c7720b59b

        SHA512

        78f83f3eee33a448f0712fb192cf0b185ad6cb52d9c1d292078bb4f29f2e4d52a8e7568bb41c4b7d34b53bf10589c4c4b2c3ed37defbb44e53e906fd9a797ee2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\XenoManager\aimware_external.exe
        Filesize

        1.1MB

        MD5

        f3726ec3f03283f95e814d084a2769be

        SHA1

        44afeb86f4d8bfdd8cf49843fc79dc5c5f3d5cb8

        SHA256

        20f245865bcfc518bf44fa8b1bbfa3c91724ed003d65c5002f9823deddad6d6c

        SHA512

        93cb5e28494193f0bec93877bfbefda33b71a61fb3d113e20e3f3bf905bc7b530e057218d6ba52c03e13054471c9e8de00e24ecea4747550e209993562d9b29c

        Download Submit

      • memory/1300-19-0x0000000002D10000-0x0000000002D11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1300-49-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-18-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-47-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-46-0x0000000073E30000-0x00000000745E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1300-45-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-48-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-21-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-26-0x0000000073E3E000-0x0000000073E3F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1300-50-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-27-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-28-0x0000000000370000-0x0000000000722000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1300-29-0x0000000073E30000-0x00000000745E0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1608-20-0x00000000033E0000-0x00000000033E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1608-0-0x0000000000750000-0x0000000000B02000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1608-1-0x00000000033E0000-0x00000000033E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1608-2-0x0000000073E3E000-0x0000000073E3F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1608-3-0x0000000000750000-0x0000000000B02000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1608-17-0x0000000000750000-0x0000000000B02000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/1608-16-0x0000000000750000-0x0000000000B02000-memory.dmp

        Filesize

        3.7MB

        Download

      • memory/3968-43-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-40-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-39-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-38-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-41-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-42-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-33-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-44-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-32-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3968-34-0x000001DA1B1A0000-0x000001DA1B1A1000-memory.dmp

        Filesize

        4KB

        Download