Analysis Overview
SHA256
66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5
Threat Level: Known bad
The file BakiyeOdemesi.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-04 14:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-04 14:19
Reported
2024-09-04 14:22
Platform
win7-20240903-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 584 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe |
| PID 584 set thread context of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe |
| PID 2268 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe |
| PID 2268 set thread context of 2760 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
"C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe"
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "crsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA083.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp |
Files
memory/584-0-0x000000007405E000-0x000000007405F000-memory.dmp
memory/584-1-0x0000000000340000-0x0000000000396000-memory.dmp
memory/584-2-0x0000000000290000-0x0000000000296000-memory.dmp
memory/584-3-0x0000000000530000-0x000000000057C000-memory.dmp
memory/584-4-0x0000000074050000-0x000000007473E000-memory.dmp
memory/584-5-0x0000000000270000-0x0000000000276000-memory.dmp
memory/2632-8-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2632-10-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2632-6-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2632-13-0x0000000074050000-0x000000007473E000-memory.dmp
memory/584-15-0x0000000074050000-0x000000007473E000-memory.dmp
\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
| MD5 | 24e9bc794e235d1c01d3a8e64352c9bf |
| SHA1 | e3cfd7882fd7e2b05beeaa61637c1f53493710ce |
| SHA256 | 66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5 |
| SHA512 | 2180ca9ec3482c8f92ee4b144a82c15f79ba078a7931dbd96fa7deb411d56ef2021c4c1bce2236dbb7a4a1eba51186a8cda1288e6c3072895c256c7b48bec673 |
memory/2632-20-0x0000000074050000-0x000000007473E000-memory.dmp
memory/2268-22-0x0000000001380000-0x00000000013D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA083.tmp
| MD5 | a6f5372613169b2900a4f059282ba086 |
| SHA1 | 4b43185e6c983b1807ad525d2c4c5b8d4529fb28 |
| SHA256 | a44343c344ed6d4e99e52eafa5ef6341c0723b59e1cc592017b5608d524931c9 |
| SHA512 | a38da48f69cabffdeb0d049f73e1365a3603c1b132e993c6a1a8a58f122cf5d324245097e49d8fe6e3c23059108f83123f67afb1e65966c823d9e0ca13d61c4e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-04 14:19
Reported
2024-09-04 14:22
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
XenorRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2616 set thread context of 2100 | N/A | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe |
| PID 2616 set thread context of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe |
| PID 3788 set thread context of 3680 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe |
| PID 3788 set thread context of 800 | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
"C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe"
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Local\Temp\BakiyeOdemesi.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 12
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 800 -ip 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 80
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "crsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C85.tmp" /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 154.216.17.155:1357 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 154.216.17.155:1357 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp | |
| US | 154.216.17.155:1357 | tcp |
Files
memory/2616-0-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/2616-1-0x00000000007B0000-0x0000000000806000-memory.dmp
memory/2616-2-0x0000000001300000-0x0000000001306000-memory.dmp
memory/2616-3-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2616-4-0x00000000051F0000-0x000000000523C000-memory.dmp
memory/2616-5-0x000000000DEE0000-0x000000000DF7C000-memory.dmp
memory/2616-6-0x000000000E530000-0x000000000EAD4000-memory.dmp
memory/2616-7-0x000000000DF80000-0x000000000E012000-memory.dmp
memory/2616-8-0x0000000004D60000-0x0000000004D66000-memory.dmp
memory/2100-10-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2100-14-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2616-15-0x00000000744D0000-0x0000000074C80000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\BakiyeOdemesi.exe
| MD5 | 24e9bc794e235d1c01d3a8e64352c9bf |
| SHA1 | e3cfd7882fd7e2b05beeaa61637c1f53493710ce |
| SHA256 | 66769b2562d5f335a8ea0279d98cfedfb1b1f980006d70f0a9aaf498235b97f5 |
| SHA512 | 2180ca9ec3482c8f92ee4b144a82c15f79ba078a7931dbd96fa7deb411d56ef2021c4c1bce2236dbb7a4a1eba51186a8cda1288e6c3072895c256c7b48bec673 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BakiyeOdemesi.exe.log
| MD5 | d95c58e609838928f0f49837cab7dfd2 |
| SHA1 | 55e7139a1e3899195b92ed8771d1ca2c7d53c916 |
| SHA256 | 0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339 |
| SHA512 | 405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d |
memory/2100-28-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3788-27-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3788-29-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3680-34-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3788-35-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3680-36-0x00000000744D0000-0x0000000074C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4C85.tmp
| MD5 | a6f5372613169b2900a4f059282ba086 |
| SHA1 | 4b43185e6c983b1807ad525d2c4c5b8d4529fb28 |
| SHA256 | a44343c344ed6d4e99e52eafa5ef6341c0723b59e1cc592017b5608d524931c9 |
| SHA512 | a38da48f69cabffdeb0d049f73e1365a3603c1b132e993c6a1a8a58f122cf5d324245097e49d8fe6e3c23059108f83123f67afb1e65966c823d9e0ca13d61c4e |