xenorat | 4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
Size

240KB
MD5

d04a2b57f1746ad614eb93ad1d20d405
SHA1

34c913adf2645f385cea7b25311adc53ddc6643e
SHA256

4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d
SHA512

f0bbbf60fdaf188d51a699ea877afb9164f75d491e28dd6b923285dba3e818cb8c76604345434075c92770e1f98b052fcfbdf8f1f79dc48df12d49f0de2e8f65
SSDEEP

6144:55pLOE2BAOVudxdvcB/80QT1tN+vrwg04wpEEs0Jr7iTxKMI:5HOE8kCPrwg0ffs0Jr7iTxKp

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

154.216.17.155

Mutex

Xeno_rat_nd8912d

Attributes

delay
50000
install_path
appdata
port
1357
startup_name
crsr

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2260-6-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat
behavioral1/memory/2260-16-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat
behavioral1/memory/2260-8-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 3 IoCs

pid	Process
2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
2572	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
2512	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe

Loads dropped DLL 1 IoCs

pid	Process
2260	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 set thread context of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 2964 set thread context of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 set thread context of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
Token: SeDebugPrivilege	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2260	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	30
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 1504 wrote to memory of 2628	1504	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	31
PID 2260 wrote to memory of 2964	2260	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	32
PID 2260 wrote to memory of 2964	2260	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	32
PID 2260 wrote to memory of 2964	2260	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	32
PID 2260 wrote to memory of 2964	2260	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	32
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2572	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	33
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2964 wrote to memory of 2512	2964	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	34
PID 2628 wrote to memory of 2796	2628	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	35
PID 2628 wrote to memory of 2796	2628	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	35
PID 2628 wrote to memory of 2796	2628	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	35
PID 2628 wrote to memory of 2796	2628	4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe	35

C:\Users\Admin\AppData\Local\Temp\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
"C:\Users\Admin\AppData\Local\Temp\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
  C:\Users\Admin\AppData\Local\Temp\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Roaming\XenoManager\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Roaming\XenoManager\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2572
  - - C:\Users\Admin\AppData\Roaming\XenoManager\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
      C:\Users\Admin\AppData\Roaming\XenoManager\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2512
- C:\Users\Admin\AppData\Local\Temp\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
  C:\Users\Admin\AppData\Local\Temp\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "crsr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCB1.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCCB1.tmp

Filesize
1KB

MD5
910a17be0535bf4f0762b625f39f3b02

SHA1
cfa9dbc1483a347be5c8edde95bc9ac2cc4f550a

SHA256
813f9c37136cb79ca30fb77eb1e1f0fbedb58c57b96217df20920b60050dbe19

SHA512
3e2a3f8b42abc569c85882bf7ee9fb7c99d07173c3ab1e04f18ce740af4839d5b2abaf76ab92a5a8bbeba1a5e2caf31c4e045ed2326ce1eab13af72c23480de9

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d.exe

Filesize
240KB

MD5
d04a2b57f1746ad614eb93ad1d20d405

SHA1
34c913adf2645f385cea7b25311adc53ddc6643e

SHA256
4d7d224f3e38ef811723161873e2aa008d21b35084a938b255feafbdd9eb985d

SHA512
f0bbbf60fdaf188d51a699ea877afb9164f75d491e28dd6b923285dba3e818cb8c76604345434075c92770e1f98b052fcfbdf8f1f79dc48df12d49f0de2e8f65

Download Submit
memory/1504-1-0x00000000002D0000-0x0000000000316000-memory.dmp

Filesize
280KB

Download
memory/1504-2-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1504-3-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-4-0x00000000005A0000-0x00000000005DC000-memory.dmp

Filesize
240KB

Download
memory/1504-5-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1504-21-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2260-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2260-18-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-27-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2260-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2628-19-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-37-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-40-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-41-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-28-0x0000000000CA0000-0x0000000000CE6000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads