xenorat | e20a68d2f697e867867fa7a54688b02d80f7703a4134747fb1c4f90068cd76c6

Analysis

max time kernel
133s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-09-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svc.exe
Size

45KB
MD5

75cf1faac1fbab522db5273d2916eb02
SHA1

b3ede9b5b70d9742a576c6f8e70e3961a24612a8
SHA256

e20a68d2f697e867867fa7a54688b02d80f7703a4134747fb1c4f90068cd76c6
SHA512

ab2946a0f8d00b66f5a0e86573eb129c3a536ae36351144f51ed6857be975a14d02b0a6df1ab9172a251fbf88baa976ecef3410e45fa4bb2ea406c2c9edbd1e2
SSDEEP

768:hdhO/poiiUcjlJInUbqmH9Xqk5nWEZ5SbTDawWI7CPW5K:fw+jjgnWH9XqcnW85SbThWIS

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

10.200.166.240

Mutex

svchost

Attributes

delay
5000
install_path
appdata
port
4895
startup_name
svchost.exe

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
3152	svc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4224	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3152	4796	svc.exe	80
PID 4796 wrote to memory of 3152	4796	svc.exe	80
PID 4796 wrote to memory of 3152	4796	svc.exe	80
PID 3152 wrote to memory of 4224	3152	svc.exe	82
PID 3152 wrote to memory of 4224	3152	svc.exe	82
PID 3152 wrote to memory of 4224	3152	svc.exe	82

C:\Users\Admin\AppData\Local\Temp\svc.exe
"C:\Users\Admin\AppData\Local\Temp\svc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Roaming\XenoManager\svc.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\svc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9ED0.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svc.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9ED0.tmp

Filesize
1KB

MD5
94cd31e71f57eb3085536d649796ff66

SHA1
3705ddb2045ae6c6934050d50187fd2ba27f6924

SHA256
9f17cee5a66d0bbfddaf89cf99687c101081c0036adc6605b421552b6d075964

SHA512
9ff3c9c785823aaf7f269c4eef442180a3a31a865ded4efe746aa6bead40c2d28cbee9515dd8848547d164dca6d13dc4dc5a18112d7be554d7515e180ac8e83f

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\svc.exe

Filesize
45KB

MD5
75cf1faac1fbab522db5273d2916eb02

SHA1
b3ede9b5b70d9742a576c6f8e70e3961a24612a8

SHA256
e20a68d2f697e867867fa7a54688b02d80f7703a4134747fb1c4f90068cd76c6

SHA512
ab2946a0f8d00b66f5a0e86573eb129c3a536ae36351144f51ed6857be975a14d02b0a6df1ab9172a251fbf88baa976ecef3410e45fa4bb2ea406c2c9edbd1e2

Download Submit
memory/3152-15-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3152-16-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3152-19-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3152-20-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/4796-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/4796-1-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads