Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 20:52
Behavioral task
behavioral1
Sample
better.exe
Resource
win10v2004-20240802-en
General
-
Target
better.exe
-
Size
45KB
-
MD5
e1ceac9336a96cb04cc3909ba406b535
-
SHA1
f511cbbd228c9685067bdc81d2411031285e1c75
-
SHA256
36c3156427b6f44bbd149994ae17c422b99efc92a1dd846bf23c2e499a639232
-
SHA512
85d889cad787945820bf2c37d8bf4072dfbb13e692258b6efc00ed6ab4ec1790b1b235d0e034edd1812376ba70d650e1eb3cb95cb3bd61d91b2fb3cbd65bf6ed
-
SSDEEP
768:AdhO/poiiUcjlJIn89SH9Xqk5nWEZ5SbTDaxuI7CPW5G:yw+jjgn8oH9XqcnW85SbTkuI+
Malware Config
Extracted
xenorat
127.0.0.1
Xeno_rat_nd8912d
-
install_path
appdata
-
port
4782
-
startup_name
Arkhavis.exe
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral1/memory/3460-1-0x0000000000FC0000-0x0000000000FD2000-memory.dmp family_xenorat behavioral1/files/0x0008000000023460-6.dat family_xenorat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation better.exe -
Executes dropped EXE 1 IoCs
pid Process 2932 better.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language better.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language better.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1360 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3460 wrote to memory of 2932 3460 better.exe 86 PID 3460 wrote to memory of 2932 3460 better.exe 86 PID 3460 wrote to memory of 2932 3460 better.exe 86 PID 2932 wrote to memory of 1360 2932 better.exe 87 PID 2932 wrote to memory of 1360 2932 better.exe 87 PID 2932 wrote to memory of 1360 2932 better.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\better.exe"C:\Users\Admin\AppData\Local\Temp\better.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Roaming\XenoManager\better.exe"C:\Users\Admin\AppData\Roaming\XenoManager\better.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Arkhavis.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB19D.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1360
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1KB
MD53bec394dfa473d398675ce8536a266b4
SHA1dd559b15536136d8874ab16180bb2ee192437e5c
SHA256d23fdbcb93728915ff405802af3af96a741b62ed973eb7ed0818f523db84232d
SHA512abb87d74dbe9da78f942ba5f714da4e9439dc3afb29d61932a1189e599684422aa8f68d9433cb3afa614636165307c413329d7e78a7b0c78b90950c53a769a7a
-
Filesize
45KB
MD5e1ceac9336a96cb04cc3909ba406b535
SHA1f511cbbd228c9685067bdc81d2411031285e1c75
SHA25636c3156427b6f44bbd149994ae17c422b99efc92a1dd846bf23c2e499a639232
SHA51285d889cad787945820bf2c37d8bf4072dfbb13e692258b6efc00ed6ab4ec1790b1b235d0e034edd1812376ba70d650e1eb3cb95cb3bd61d91b2fb3cbd65bf6ed