Analysis Overview
SHA256
f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20
Threat Level: Known bad
The file MemoryReduct.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Xenorat family
Checks computer location settings
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Scheduled Task/Job: Scheduled Task
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-04 22:57
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-04 22:57
Reported
2024-09-04 23:03
Platform
win10v2004-20240802-en
Max time kernel
299s
Max time network
293s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MemoryReduct.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MemoryReduct.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2740 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\MemoryReduct.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe |
| PID 2740 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\MemoryReduct.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe |
| PID 2740 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\MemoryReduct.exe | C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe |
| PID 2280 wrote to memory of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2280 wrote to memory of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 2280 wrote to memory of 3988 | N/A | C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MemoryReduct.exe
"C:\Users\Admin\AppData\Local\Temp\MemoryReduct.exe"
C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Steam_Service" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC39.tmp" /F
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\dwm.exe
"dwm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | syfhnuc714-20814.portmap.host | udp |
| DE | 193.161.193.99:8080 | syfhnuc714-20814.portmap.host | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:8080 | syfhnuc714-20814.portmap.host | tcp |
| DE | 193.161.193.99:8080 | syfhnuc714-20814.portmap.host | tcp |
| DE | 193.161.193.99:8080 | syfhnuc714-20814.portmap.host | tcp |
| DE | 193.161.193.99:8080 | syfhnuc714-20814.portmap.host | tcp |
Files
memory/2740-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp
memory/2740-1-0x0000000000F70000-0x0000000000F82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XenoManager\MemoryReduct.exe
| MD5 | caed2f9a1430222267c829424048a584 |
| SHA1 | 22efb3b0d0bef8ded5920b053b3bb318eb1c2c3f |
| SHA256 | f000c7fb9844e917eb223f1a1a8035fc2f95df89625441e18e9666f405d72b20 |
| SHA512 | 983a371077305af97c46f30da531e4fe88181451496956d6b6871896e858568249bad33a69905a40c7619056dd6a4d2820c1bc3f88379dfee80577b2274231ba |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MemoryReduct.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/2280-15-0x0000000074F70000-0x0000000075720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCC39.tmp
| MD5 | f19f1842080f84c0f1143a3295fb8f4a |
| SHA1 | b8848554a4038ce61c1296b41f9df46e1dcd4b9b |
| SHA256 | 922964968966fd11df7b407f053b644b0c6a39ae4f52bb27b17ad429a9d339bf |
| SHA512 | b380dec30742065ab749430841df1f65fcd7235ebbf97fb73ddfe315faa20a11941c17e755de5cdbae48ce1f598b045c3cad7057cd800c548b6f1ee2ed7e329c |
memory/2280-18-0x0000000074F70000-0x0000000075720000-memory.dmp
memory/2280-19-0x0000000074F70000-0x0000000075720000-memory.dmp
memory/4988-20-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-21-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-22-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-30-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-32-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-31-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-29-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-27-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-28-0x0000028E964F0000-0x0000028E964F1000-memory.dmp
memory/4988-26-0x0000028E964F0000-0x0000028E964F1000-memory.dmp