Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 14:19
Static task
static1
Behavioral task
behavioral1
Sample
BakiyeOdemesi.exe
Resource
win7-20240903-en
General
-
Target
BakiyeOdemesi.exe
-
Size
311KB
-
MD5
24e9bc794e235d1c01d3a8e64352c9bf
-
SHA1
e3cfd7882fd7e2b05beeaa61637c1f53493710ce
-
SHA256
66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5
-
SHA512
2180ca9ec3482c8f92ee4b144a82c15f79ba078a7931dbd96fa7deb411d56ef2021c4c1bce2236dbb7a4a1eba51186a8cda1288e6c3072895c256c7b48bec673
-
SSDEEP
6144:GpuUhxq8skkdM+22p1jdaCGICn+wV6aAOphyPMWSI:GQmRNQrE0aAOphyPMWX
Malware Config
Extracted
xenorat
154.216.17.155
Xeno_rat_nd8912d
-
delay
50000
-
install_path
appdata
-
port
1357
-
startup_name
crsr
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BakiyeOdemesi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation BakiyeOdemesi.exe -
Executes dropped EXE 3 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exepid process 3788 BakiyeOdemesi.exe 3680 BakiyeOdemesi.exe 800 BakiyeOdemesi.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exedescription pid process target process PID 2616 set thread context of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 set thread context of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 set thread context of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 set thread context of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5056 2820 WerFault.exe BakiyeOdemesi.exe 2400 800 WerFault.exe BakiyeOdemesi.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BakiyeOdemesi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exedescription pid process Token: SeDebugPrivilege 2616 BakiyeOdemesi.exe Token: SeDebugPrivilege 3788 BakiyeOdemesi.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
BakiyeOdemesi.exepid process 2820 BakiyeOdemesi.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
BakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exeBakiyeOdemesi.exedescription pid process target process PID 2616 wrote to memory of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2100 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2616 wrote to memory of 2820 2616 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2100 wrote to memory of 3788 2100 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2100 wrote to memory of 3788 2100 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 2100 wrote to memory of 3788 2100 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 3680 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3788 wrote to memory of 800 3788 BakiyeOdemesi.exe BakiyeOdemesi.exe PID 3680 wrote to memory of 616 3680 BakiyeOdemesi.exe schtasks.exe PID 3680 wrote to memory of 616 3680 BakiyeOdemesi.exe schtasks.exe PID 3680 wrote to memory of 616 3680 BakiyeOdemesi.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe"C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exeC:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe"C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exeC:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "crsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C85.tmp" /F5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:616 -
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exeC:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe4⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 805⤵
- Program crash
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exeC:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe2⤵
- Suspicious use of UnmapMainImage
PID:2820 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 123⤵
- Program crash
PID:5056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2820 -ip 28201⤵PID:380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 800 -ip 8001⤵PID:624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
Filesize
1KB
MD5a6f5372613169b2900a4f059282ba086
SHA14b43185e6c983b1807ad525d2c4c5b8d4529fb28
SHA256a44343c344ed6d4e99e52eafa5ef6341c0723b59e1cc592017b5608d524931c9
SHA512a38da48f69cabffdeb0d049f73e1365a3603c1b132e993c6a1a8a58f122cf5d324245097e49d8fe6e3c23059108f83123f67afb1e65966c823d9e0ca13d61c4e
-
Filesize
311KB
MD524e9bc794e235d1c01d3a8e64352c9bf
SHA1e3cfd7882fd7e2b05beeaa61637c1f53493710ce
SHA25666769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5
SHA5122180ca9ec3482c8f92ee4b144a82c15f79ba078a7931dbd96fa7deb411d56ef2021c4c1bce2236dbb7a4a1eba51186a8cda1288e6c3072895c256c7b48bec673