Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-09-2024 07:55
Behavioral task
behavioral1
Sample
con.exe
Resource
win7-20240729-en
General
-
Target
con.exe
-
Size
46KB
-
MD5
9e9de34664b5fef539593d23c6a4bc5b
-
SHA1
78f446658ac0fa6d3be493204a2a01321fada36d
-
SHA256
a11fd0b4c7ac78c9ac8e4e1210ac8a5964703bf9a4e849e58e6b2d217c87f8ed
-
SHA512
e449331af199801ce8919893c59842d63e3aef69d083500adaa32e56a4fb6f9f6f2523b3e3a9b01b30883d105a27d7c62cd13b2ec4cc6199741ce6c87f91d749
-
SSDEEP
768:DdhO/poiiUcjlJInNCH9Xqk5nWEZ5SbTDa2uI7CPW5d:Rw+jjgn8H9XqcnW85SbTLuI1
Malware Config
Extracted
xenorat
grand-merchants.gl.at.ply.gg
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
15148
-
startup_name
svconhost
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
payload.exepid process 2928 payload.exe -
Loads dropped DLL 1 IoCs
Processes:
payload.exepid process 1316 payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
payload.exepayload.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
payload.exepid process 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe 2928 payload.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
payload.exedescription pid process Token: SeDebugPrivilege 2928 payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payload.exepayload.exedescription pid process target process PID 1316 wrote to memory of 2928 1316 payload.exe payload.exe PID 1316 wrote to memory of 2928 1316 payload.exe payload.exe PID 1316 wrote to memory of 2928 1316 payload.exe payload.exe PID 1316 wrote to memory of 2928 1316 payload.exe payload.exe PID 2928 wrote to memory of 2760 2928 payload.exe schtasks.exe PID 2928 wrote to memory of 2760 2928 payload.exe schtasks.exe PID 2928 wrote to memory of 2760 2928 payload.exe schtasks.exe PID 2928 wrote to memory of 2760 2928 payload.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Roaming\XenoManager\payload.exe"C:\Users\Admin\AppData\Roaming\XenoManager\payload.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "svconhost" /XML "C:\Users\Admin\AppData\Local\Temp\tmp754F.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e57677ada19ddcf2202f85832c29e60f
SHA1b9f6f97c8ba50a466027a1ccde803359fb4a0bfe
SHA2567b84079af43fae4605a8ac01fb76591f40399e4d6fe8e11b966bc6c210bd55b9
SHA512577e46e2d6c22a0f4e568608ec3397270758042bc39225e0818d17cf05ea5621e8b9d13146a3845fac9df5dcc7f485da0d640be3a241402b1148248458baa9a2
-
Filesize
46KB
MD59e9de34664b5fef539593d23c6a4bc5b
SHA178f446658ac0fa6d3be493204a2a01321fada36d
SHA256a11fd0b4c7ac78c9ac8e4e1210ac8a5964703bf9a4e849e58e6b2d217c87f8ed
SHA512e449331af199801ce8919893c59842d63e3aef69d083500adaa32e56a4fb6f9f6f2523b3e3a9b01b30883d105a27d7c62cd13b2ec4cc6199741ce6c87f91d749