Analysis Overview
SHA256
8c50b01988e0e4134e623d602f82c33c22add9e337cf403a590288ad95711031
Threat Level: Known bad
The file Fixer.rar was found to be: Known bad.
Malicious Activity Summary
Xenorat family
XenorRat
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Browser Information Discovery
System Location Discovery: System Language Discovery
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-01 10:19
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-01 10:19
Reported
2024-09-01 10:28
Platform
win7-20240729-en
Max time kernel
199s
Max time network
317s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe
"C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "System-33" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFDF.tmp" /F
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fb9758,0x7fef6fb9768,0x7fef6fb9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2792 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2108 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1032 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1036 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2084 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3596 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3548 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3432 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3484 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2728 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1408 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| N/A | 127.0.0.1:69 | tcp | |
| US | 8.8.8.8:53 | www.meadiafire.com | udp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| GB | 142.250.178.3:80 | www.gstatic.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | udp |
| N/A | 127.0.0.1:69 | tcp | |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| GB | 142.250.178.3:80 | www.gstatic.com | tcp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| GB | 142.250.179.228:443 | www.google.com | udp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| US | 208.91.196.105:443 | www.meadiafire.com | tcp |
| US | 8.8.8.8:53 | www.mediafire.com | udp |
| US | 104.17.151.117:443 | www.mediafire.com | tcp |
| US | 104.17.151.117:443 | www.mediafire.com | tcp |
| N/A | 127.0.0.1:69 | tcp | |
| US | 104.17.151.117:443 | www.mediafire.com | tcp |
| US | 104.17.151.117:443 | www.mediafire.com | tcp |
| US | 104.17.151.117:443 | www.mediafire.com | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | static.mediafire.com | udp |
| GB | 216.58.201.106:443 | ajax.googleapis.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 104.16.79.73:443 | static.cloudflareinsights.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 8.8.8.8:53 | translate.google.com | udp |
| GB | 172.217.169.14:443 | translate.google.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 104.17.151.117:443 | static.mediafire.com | tcp |
| US | 8.8.8.8:53 | translate.googleapis.com | udp |
| GB | 142.250.187.202:443 | translate.googleapis.com | tcp |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp |
Files
memory/2136-0-0x000000007471E000-0x000000007471F000-memory.dmp
memory/2136-1-0x0000000000930000-0x0000000000942000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
| MD5 | 5ef7344600895b2f13d5d8e44537d946 |
| SHA1 | bdf05e86b0c923a0c1edead40cc50819b185d4c0 |
| SHA256 | 50866224673bc35d89ba701eaf3e794f452fecf308e9fab36be21fe8c486a9d0 |
| SHA512 | 9563e4b2c98e3ccc8b47c9739a9a74680c9782f1bd18d67c80fb5f85e6bc667df72978b3d7858ddb30ba522d574215b720a2792b7e9e6d34759d0cdc2eb43c69 |
memory/2036-9-0x000000007402E000-0x000000007402F000-memory.dmp
memory/2036-10-0x0000000000130000-0x0000000000142000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAFDF.tmp
| MD5 | 2ab093f77a33e7004e362f78c87763a8 |
| SHA1 | 2a4dcef9285dd583a33c1c5195cac7a37daee193 |
| SHA256 | 4691f336ef4ce21e9f11416ab10393a8d4760db2025cfc0bd59acc25e018e234 |
| SHA512 | 343b32e2048b259717e04dd98ef8900f3951ca79169947f1ed642b76965d95d517bd5a7878897aee21bd4350ac96aa1240e9d7e86e0fb53b05e28da716e95d3f |
memory/2036-13-0x0000000074020000-0x000000007470E000-memory.dmp
memory/2036-14-0x0000000074020000-0x000000007470E000-memory.dmp
memory/2680-15-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2680-16-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2680-17-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2680-18-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
\??\pipe\crashpad_2092_VSPKZTCZQVUODOJJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 913e4def61d919c48868f4a343d8ca85 |
| SHA1 | da6d9e7c8b861cce579b4836057bb604918fd884 |
| SHA256 | 076d3788d57af46f43cb3f0f62081d604e98310273b950511c0b889ae8deec08 |
| SHA512 | 08eb25423d0a99b108ba1a0648b47b06ed56f4b83e012d49affe79282b41dba80aea9f9489578925cbd2e92152662ec6dce33f85f244ec399f2109947bbabea4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 0524ed74bc29de3b44a1a736b39af1d6 |
| SHA1 | 3e76be7865e90cda6214951a1729c39ed519ae3a |
| SHA256 | 2fad702775fb4521d9dbb2e45f62b8df5249a54cc8ae06b114eb5d96cf9cf50c |
| SHA512 | 9be602d71e5241f259d520d52d47fc03b4e0778d33889497cb0a795607f19d1c8747994b0312bfac2cc50bbdae65c9312488785a3441f6166654ee3e0a3f05b5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fc8d8cd1-90d4-4b93-9145-bdfbc0b4bd39.tmp
| MD5 | 77ba4ca0a41e32a12b32e94e35c1a0bb |
| SHA1 | f51e2cdeade3e3d0af57eb4bdbd18b914405c8d6 |
| SHA256 | 5e5f8babfaf081ce7838732fa4f95669c0b141ebf2667d47a0813b388df02370 |
| SHA512 | d20184a51a45015fde18a6ff4cfc3268e7ef5101b38ffaec4d89cb48aaba68667ed4ff9e33c430ab38ca5ffc1833a5cc16e63c40f0afdde3d4c6c7818b517779 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a44858dd1695b04d7f9f6db6ba26307e |
| SHA1 | dfee5a431e0267e2f5353609e483389588f82cbe |
| SHA256 | b338328967ee25ae3e7b5602dbd4d2478b4843a56679d1dd72089b7c240f53fe |
| SHA512 | 7d32d68f704a153ff31bccfa08170044f0ac0329c925c86d60154d9512d49835c9d7f28779e0368dd6b8b2d366157c72b70221be129629ec5a2b5816637c1b99 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a7adbaa390a08c4f0acbc31eafe05108 |
| SHA1 | d60ee3951ecec41c475be6623f3b835785d496d1 |
| SHA256 | 64544d5e2b79957f1b05a4f6aecb4216dbe6b1ebbd10a8d3e0b169a8ec509d47 |
| SHA512 | f65e2a00ca4f3727ce4974e9cad535caf4ed1ace64e7ab9410bdfc0f2704dbcc4315d032a3d881fc670107c0f961a5725f25282a1bec89c8bb69df1bddf92929 |
C:\Users\Admin\AppData\Local\Temp\Cab252F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | e97a79d27b6c848d47a057300484a961 |
| SHA1 | c9964c521d4030fe8252f144d73d8e3fcc3a19fd |
| SHA256 | 787519af7f15d9e16b7873792304b912fcecaf9199fb5998bbb9ca267bf0a6fe |
| SHA512 | 77b26469b79f05b419ef734ee825878908fc5b961ed7b704043cc3f58f74c1a57235710526ed3cd9983c71f6ec1b399a2d7a7cb9eb3ad427def7ef9e6c9e8062 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cc66a04559056e5750827e417c20487a |
| SHA1 | 7830dbc46ec2044f39b07c62eb6e0314409919bc |
| SHA256 | 00d566ecaa85068fd69a5e449b225f270a391ec4eaaa9ab53f86ccf3e3202b64 |
| SHA512 | 8bb661dc71c0d935b92caf8c2e3513d9a65c1f840964b506f7ab048a60928478936d4f28ab14fd6eb9ba40501ce046266dc576775a86e77a664490d7ce0eb368 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ef98b4831e8354fe4224cce10f830501 |
| SHA1 | 8ab05cec0b56e9b7b5c4ee39978894954754d841 |
| SHA256 | c7447bb475834c43473b0565b9543cbd63d179d688a01a5a12f427decfd1c555 |
| SHA512 | 5b717055f2092142e1abf568551da6cfe81e9319f49d3762000c9fd77943842d6d06f671fedba78f904690bd75c4a7c007b761770282d8a239bf333c2042fe8d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 644b3f19c7752240b386aca3aae19e96 |
| SHA1 | 6abaa9206d8753ff79ad8a446be74f588408ec32 |
| SHA256 | 3a74f19bd540bbf5d7a9234ea1dacd5cb4801f63f6ebb4e8cd4a18f522783f0c |
| SHA512 | 2829b1c425f088ab160b527cab8212e921063760bed4aac56b714cd9ddf7649adae8236e9f43dbcab9fa542d2185495af4e95f8b6cf232cab45921c60a7c1123 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1aab5eeddec5a0435b8b622669860e2b |
| SHA1 | f0b3026e115110067cc87cc87c93464420cebfa3 |
| SHA256 | 7ac36da87e86d2a0e74cbadd546ad762142e22b486fdf56906fc3df9e5cde9de |
| SHA512 | 8ec8b5202eb9f3ea6e5d0aab04c1b745e3f6d44020b413f143bb19825c94b62c5368a3faab6486663ed355285257e22a9089929d38d88777f63d122037a9004d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9dbc5398e9eede809143c515101d34d2 |
| SHA1 | d75ae74a23b3993379ef8795230f1cebc517bac3 |
| SHA256 | 3164e42f2f6c7b3e833e980eb0b8767a32196d963a68f6abe573d4e11ca6d448 |
| SHA512 | 45068f24bc3d6fecfbe589a99ce66bde1c26d95781427d056469f9e8d47bf4a9cb91f61786c63fb365e4b558a085a848a3b25b8d91ab42f7e43775483403f43b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a2a0760058608e7667c64973f5c6213a |
| SHA1 | 7ad39c67347bea72e94e0d74c30364d1917d1c81 |
| SHA256 | dda6e4ec24214051e3241cfefc5f30430070d2ed1209d33effc00e17580060ca |
| SHA512 | 72a7ecf0d12e793fdd74a12420c1c13995bb2d7d24374555cb0aa8685ba1d0969b8663562b55529b7666dd98e88670e3b48718586b0e17ca47840d47acf266dc |
C:\Users\Admin\AppData\Local\Temp\TarD58D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4bb35cd0cc1a1514ec16831e9e143498 |
| SHA1 | ba49f9d485c111c32a333eb14e146ea730496c22 |
| SHA256 | 212b307b6f70768cba939f1c0acacfaf726f261d30fd53220f490c61e3db11df |
| SHA512 | 8d89340cb23f9983853a4c7ad64568083a8b35af142470480e7603c23c2514278a96bf1243d59549b81e87ff09316330ddcdceedcc2c8004e64d8a3156ca0b50 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ab5273f4bcab5d981fa808ff61652423 |
| SHA1 | f0e778475363bb55e416f0a9989e3375651be28f |
| SHA256 | 09b5c606b2b80e75e3df3f0d0dbce79bc914f74b968a369f7daf2cc27991c5e4 |
| SHA512 | a1637c30ff4e4b2262fc6023f914432050e354e1c903922deaa7c0590fde8388e4d8111145db763a86537ccba93a5fe66645ba37b073ebb5601009b392b3f964 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 658c0a9bfcbe4b310288ea4afec1b1b2 |
| SHA1 | e89505906433a3813d6f70f49f9361a0b82daca9 |
| SHA256 | 7b0580168f11c656722ac6f482b9e231000fa713a2c8e05e4367bc8ffd0d15eb |
| SHA512 | a5e476bbd499d87e8cbe23224c8fc629c00da6898409e96b192430d42e2ecfd40ebf827e1eff1ad552c33c077340c2f4035a448dd578dbc51e81125db75b8221 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\441d58b4-7d81-4a22-82fc-3bfc5ac021fc.tmp
| MD5 | 5e4e772c27b3b8f17384d664d3f90135 |
| SHA1 | 84902dcdf39810594f2db0d9d51df2cbb70befdf |
| SHA256 | b743ddaf2fe264965e9bd363df6504ecb1b1797b5a9da4ac202835ce7d994bb9 |
| SHA512 | e1d1882e6f9481c378ca94a73311b9cc3ba7d1012d5ab979fdc13604a9fcd1061c2281e34dffd259ff3fce3b250c715204186aff84667108d468ab90a86a4af9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6fe27b1fd96525a4a6d500672c063121 |
| SHA1 | fa5c21998b643b4c3239bd092d41292b662518ca |
| SHA256 | fe39c4e9b259d95ef7ed3858217d1ca0ff768e5a8640be62c47a5820dbbdbccc |
| SHA512 | b9afae11cb06df21bfe6ac9fe280d61b6bc97281432f8d75c48dc323ce2f495bf12f81fea7c04c62537d041e39dfdbd3069e19f5c6ca1cfca6600aea04f4295a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 7846d5f5a4c13dcec215d8d27eac98e3 |
| SHA1 | 0fd729afb1c5eafef3d63731a758aff102aef355 |
| SHA256 | d9cb8546190623662b87d952078d23b2509515367225d9aef06ba5dff7dcde58 |
| SHA512 | 3b94b983485ced3bb4e1006b65fd7d45ac92009034aaf9f796f262069cbcaf094ef83f498dad849e251e145d87dd66cb9db1e3eb43235079c18c4d1206db9580 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 715bde5af4dbd15b46825ebf6988ed26 |
| SHA1 | db1c72d954ba4cf51af068af1908658150b4a944 |
| SHA256 | b58ff602bc5a69b895690822cd46595f5f70e08d68171b305c38defecdd846a9 |
| SHA512 | 106d1edd41a13777f1a7b76d60a20b98fd9715c955599a8b9087917e3849a839edb508635c0cc5f8dd25a1d0f5ffb6b8e358c608c9aba49ce2ba162ad84f1dec |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-01 10:19
Reported
2024-09-01 10:24
Platform
win10v2004-20240802-en
Max time kernel
293s
Max time network
205s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 404 wrote to memory of 3724 | N/A | C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe |
| PID 404 wrote to memory of 3724 | N/A | C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe |
| PID 404 wrote to memory of 3724 | N/A | C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe |
| PID 3724 wrote to memory of 5016 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3724 wrote to memory of 5016 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 3724 wrote to memory of 5016 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe
"C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "System-33" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5D3.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp | |
| N/A | 127.0.0.1:69 | tcp |
Files
memory/404-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
memory/404-1-0x00000000003E0000-0x00000000003F2000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
| MD5 | 5ef7344600895b2f13d5d8e44537d946 |
| SHA1 | bdf05e86b0c923a0c1edead40cc50819b185d4c0 |
| SHA256 | 50866224673bc35d89ba701eaf3e794f452fecf308e9fab36be21fe8c486a9d0 |
| SHA512 | 9563e4b2c98e3ccc8b47c9739a9a74680c9782f1bd18d67c80fb5f85e6bc667df72978b3d7858ddb30ba522d574215b720a2792b7e9e6d34759d0cdc2eb43c69 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fixer.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3724-16-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/3724-17-0x0000000074E70000-0x0000000075620000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB5D3.tmp
| MD5 | 2ab093f77a33e7004e362f78c87763a8 |
| SHA1 | 2a4dcef9285dd583a33c1c5195cac7a37daee193 |
| SHA256 | 4691f336ef4ce21e9f11416ab10393a8d4760db2025cfc0bd59acc25e018e234 |
| SHA512 | 343b32e2048b259717e04dd98ef8900f3951ca79169947f1ed642b76965d95d517bd5a7878897aee21bd4350ac96aa1240e9d7e86e0fb53b05e28da716e95d3f |
memory/3724-19-0x0000000074E70000-0x0000000075620000-memory.dmp