Malware Analysis Report

2024-10-23 20:25

Sample ID 240904-22p9cszakb
Target f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20
SHA256 f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20

Threat Level: Known bad

The file f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20 was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

XenorRat

Xenorat family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-04 23:04

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-04 23:04

Reported

2024-09-04 23:07

Platform

win7-20240903-en

Max time kernel

120s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe"

Signatures

XenorRat

trojan rat xenorat

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe
PID 2716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe
PID 2716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe
PID 2716 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe
PID 2780 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe

"C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Steam_Service" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F8A.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 syfhnuc714-20814.portmap.host udp
DE 193.161.193.99:8080 syfhnuc714-20814.portmap.host tcp
DE 193.161.193.99:8080 syfhnuc714-20814.portmap.host tcp

Files

memory/2716-0-0x00000000746BE000-0x00000000746BF000-memory.dmp

memory/2716-1-0x0000000000B50000-0x0000000000B62000-memory.dmp

\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe

MD5 caed2f9a1430222267c829424048a584
SHA1 22efb3b0d0bef8ded5920b053b3bb318eb1c2c3f
SHA256 f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20
SHA512 983a371077305af97c46f30da531e4fe88181451496956d6b6871896e858568249bad33a69905a40c7619056dd6a4d2820c1bc3f88379dfee80577b2274231ba

memory/2780-9-0x000000007370E000-0x000000007370F000-memory.dmp

memory/2780-10-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9F8A.tmp

MD5 3f79eaca94797a4e2cab6fec406ea0d6
SHA1 bf76c72cbd1e06567436e1bc9e54137a6289a530
SHA256 16ff13377a1a8f46b36ac2727bdba9db22fa4da445403ff0af3e029d7ce43295
SHA512 bf170d67e60805156a61765ceaef41eb25449bba0ff799443b8d48e14a64fcdb4a64a818c33f70d546677e23dd69e6f13473d74c06479c40ff7ce114b170e3e4

memory/2780-13-0x0000000073700000-0x0000000073DEE000-memory.dmp

memory/2780-14-0x000000007370E000-0x000000007370F000-memory.dmp

memory/2780-15-0x0000000073700000-0x0000000073DEE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-04 23:04

Reported

2024-09-04 23:07

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe

"C:\Users\Admin\AppData\Local\Temp\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe"

C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe

"C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Steam_Service" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9683.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 syfhnuc714-20814.portmap.host udp
DE 193.161.193.99:8080 syfhnuc714-20814.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
DE 193.161.193.99:8080 syfhnuc714-20814.portmap.host tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4324-0-0x000000007489E000-0x000000007489F000-memory.dmp

memory/4324-1-0x00000000006B0000-0x00000000006C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XenoManager\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe

MD5 caed2f9a1430222267c829424048a584
SHA1 22efb3b0d0bef8ded5920b053b3bb318eb1c2c3f
SHA256 f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20
SHA512 983a371077305af97c46f30da531e4fe88181451496956d6b6871896e858568249bad33a69905a40c7619056dd6a4d2820c1bc3f88379dfee80577b2274231ba

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3840-15-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9683.tmp

MD5 3f79eaca94797a4e2cab6fec406ea0d6
SHA1 bf76c72cbd1e06567436e1bc9e54137a6289a530
SHA256 16ff13377a1a8f46b36ac2727bdba9db22fa4da445403ff0af3e029d7ce43295
SHA512 bf170d67e60805156a61765ceaef41eb25449bba0ff799443b8d48e14a64fcdb4a64a818c33f70d546677e23dd69e6f13473d74c06479c40ff7ce114b170e3e4

memory/4324-18-0x000000007489E000-0x000000007489F000-memory.dmp

memory/3840-19-0x0000000074890000-0x0000000075040000-memory.dmp

memory/3840-20-0x0000000074890000-0x0000000075040000-memory.dmp