Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-09-2024 14:19
Static task
static1
Behavioral task
behavioral1
Sample
BakiyeOdemesi.exe
Resource
win7-20240903-en
General
-
Target
BakiyeOdemesi.exe
-
Size
311KB
-
MD5
24e9bc794e235d1c01d3a8e64352c9bf
-
SHA1
e3cfd7882fd7e2b05beeaa61637c1f53493710ce
-
SHA256
66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5
-
SHA512
2180ca9ec3482c8f92ee4b144a82c15f79ba078a7931dbd96fa7deb411d56ef2021c4c1bce2236dbb7a4a1eba51186a8cda1288e6c3072895c256c7b48bec673
-
SSDEEP
6144:GpuUhxq8skkdM+22p1jdaCGICn+wV6aAOphyPMWSI:GQmRNQrE0aAOphyPMWX
Malware Config
Extracted
xenorat
154.216.17.155
Xeno_rat_nd8912d
-
delay
50000
-
install_path
appdata
-
port
1357
-
startup_name
crsr
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exepid process 2268 BakiyeOdemesi.exe 2696 BakiyeOdemesi.exe 2760 BakiyeOdemesi.exe -
Loads dropped DLL 3 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exepid process 2632 BakiyeOdemesi.exe 2268 BakiyeOdemesi.exe 2268 BakiyeOdemesi.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exedescription pid process target process PID 584 set thread context of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 set thread context of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 set thread context of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 set thread context of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exeschtasks.exeBakiyeOdemesi.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exedescription pid process Token: SeDebugPrivilege 584 BakiyeOdemesi.exe Token: SeDebugPrivilege 2268 BakiyeOdemesi.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exedescription pid process target process PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2632 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 584 wrote to memory of 2092 584 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2632 wrote to memory of 2268 2632 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2632 wrote to memory of 2268 2632 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2632 wrote to memory of 2268 2632 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2632 wrote to memory of 2268 2632 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2696 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2268 wrote to memory of 2760 2268 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2760 wrote to memory of 1588 2760 BakiyeOdemesi.exe schtasks.exe PID 2760 wrote to memory of 1588 2760 BakiyeOdemesi.exe schtasks.exe PID 2760 wrote to memory of 1588 2760 BakiyeOdemesi.exe schtasks.exe PID 2760 wrote to memory of 1588 2760 BakiyeOdemesi.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe"C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exeC:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe"C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exeC:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exeC:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "crsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA083.tmp" /F5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exeC:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe2⤵PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a6f5372613169b2900a4f059282ba086
SHA14b43185e6c983b1807ad525d2c4c5b8d4529fb28
SHA256a44343c344ed6d4e99e52eafa5ef6341c0723b59e1cc592017b5608d524931c9
SHA512a38da48f69cabffdeb0d049f73e1365a3603c1b132e993c6a1a8a58f122cf5d324245097e49d8fe6e3c23059108f83123f67afb1e65966c823d9e0ca13d61c4e
-
Filesize
311KB
MD524e9bc794e235d1c01d3a8e64352c9bf
SHA1e3cfd7882fd7e2b05beeaa61637c1f53493710ce
SHA25666769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5
SHA5122180ca9ec3482c8f92ee4b144a82c15f79ba078a7931dbd96fa7deb411d56ef2021c4c1bce2236dbb7a4a1eba51186a8cda1288e6c3072895c256c7b48bec673