xenorat | abc242f7c5ef7c85c38a5101ceb9897032a2e24bbd9558810eb03b9121bf0fcb

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_0ecc69497bfd0ed6477cd052abdc26c2_ryuk.exe
Size

12.5MB
MD5

0ecc69497bfd0ed6477cd052abdc26c2
SHA1

026e312c3a6002cbfbcb2522f07b509eedd89c20
SHA256

abc242f7c5ef7c85c38a5101ceb9897032a2e24bbd9558810eb03b9121bf0fcb
SHA512

4beedc6b2afeb395bc34b9384478897c1e6749cb5e6e6403cdf5ec9f7ec4df310bbe56a677a1e82b2e4c17e1a7e91305a507b1c79c29369feab4b02dbb5639a5
SSDEEP

393216:0JLqi6PpxRBQ+7IqVZPoFka4GsHwSrewvEWOxXqOkSR2gvS:7isxR3h8kt1/iw8H2

Score

10^/10

xenorat defense_evasion discovery execution rat trojan

Malware Config

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3436-42-0x0000000003270000-0x0000000003282000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4888	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2276	idman642build21.exe
2956	IDM1.tmp

Loads dropped DLL 1 IoCs

pid	Process
216	2024-09-29_0ecc69497bfd0ed6477cd052abdc26c2_ryuk.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1240	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman642build21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE
Token: SeShutdownPrivilege	3436	Explorer.EXE
Token: SeCreatePagefilePrivilege	3436	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 4888	1240	cmd.exe	87
PID 1240 wrote to memory of 4888	1240	cmd.exe	87
PID 4888 wrote to memory of 3608	4888	powershell.exe	89
PID 4888 wrote to memory of 3608	4888	powershell.exe	89
PID 3608 wrote to memory of 4452	3608	csc.exe	90
PID 3608 wrote to memory of 4452	3608	csc.exe	90
PID 4888 wrote to memory of 2276	4888	powershell.exe	91
PID 4888 wrote to memory of 2276	4888	powershell.exe	91
PID 4888 wrote to memory of 2276	4888	powershell.exe	91
PID 4888 wrote to memory of 3436	4888	powershell.exe	56
PID 2276 wrote to memory of 2956	2276	idman642build21.exe	92
PID 2276 wrote to memory of 2956	2276	idman642build21.exe	92
PID 2276 wrote to memory of 2956	2276	idman642build21.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436
- C:\Users\Admin\AppData\Local\Temp\2024-09-29_0ecc69497bfd0ed6477cd052abdc26c2_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-29_0ecc69497bfd0ed6477cd052abdc26c2_ryuk.exe"
  2⤵
  - Loads dropped DLL
  PID:216

C:\Windows\system32\cmd.exe
cmd.exe /c start "" /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1"
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0j5nv0x5\0j5nv0x5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES805B.tmp" "c:\Users\Admin\AppData\Local\Temp\0j5nv0x5\CSCA08F35CC53CA4440AC12A252D3D9BAE7.TMP"
      4⤵
      PID:4452
- - C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\idman642build21.exe
    "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\idman642build21.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
      "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.manifest

Filesize
47KB

MD5
6fec4faacf51e3f656421e6cf5217299

SHA1
b4963d03ae835f9b064491dce20108f9450e7507

SHA256
582524e8046a86b6729bd9c3032f0da3d2b99c9eb537cce4b827b1a55d65a638

SHA512
2b2951dfb9c856cfcee73f5dab6218118b98e98cfa7bc47f5d241215024863da5b0d08ebab43475ca97fd13ca2d3ddf5ecdb5a16bdb117fb5bb0a506b6a7fe26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1

Filesize
5KB

MD5
3aca65418fc9e4d69d2a5e4245d1b4e9

SHA1
702f7cfe36511cd3fc1eede39220769ea9b10b4a

SHA256
48e0d380660392f5a346b7a936ddf463097beec8abb24978cb4a364baac5dbac

SHA512
80ec0ddeb72de4b81906eef0d96e1586de38957588692326c057a2426bb471ed8906aa8423e40a6075d39e8d5577b5f6cbe08d2de7466fcddc3bdb55ab04ba38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\idman642build21.exe

Filesize
11.7MB

MD5
44cd33e863e57dc39666dccf49d4de2a

SHA1
32b8afd118e6add60eaa852d0687718ddd3351e7

SHA256
b39cc874fda44ea0d38e0e28a8a7d257171a00f3153262c8dba853069b18a963

SHA512
dbb1f571af8e4429dbef7a9fd46458bec86bcbe85449b2da0a366f41a20f3b77f001e6f4e9bcbcf9463cb0ee9e616f2a2c78653ecf2915c367dfcd9c3ae41afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wAPI.dll

Filesize
12.3MB

MD5
06044c2518fb6e8448496a7dbb408484

SHA1
b3670507fe37c3db352cda789ac48e21d0146009

SHA256
a0903fad6dff1bf677672efec4a1a2a11c1521d5066ba794ebfd76f60b41e4aa

SHA512
c1c12d73992933c007dfbf635fce46b3ead643bf89580c0879040859502ed7ff3af5cb99d4aed74b2f9c0a44f3f1a2aafb52024693e9e97471d32fb22246be23

Download Submit
C:\Users\Admin\AppData\Local\Temp\0j5nv0x5\0j5nv0x5.dll

Filesize
4KB

MD5
bebeab503265fe7357e71cab3f8814d4

SHA1
dc68d62820077c3ed3114351cd3c3c3d5dd64354

SHA256
3aaeea5e954412beb992fb9a9d2146e7b0d3cc7d20a2c6da884a648db966830b

SHA512
147c9dd24cf372f14b01dc7140ba700dc02450c36749e2f50f9284abacb36ecdc3de9339bd3699ce2218b495990ab97ea5602795e5c47a2298e63f04289c6435

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
162KB

MD5
1c734d0ded634d8e17a87aba3d44f41d

SHA1
4974769d1b1442c48dd6b6fb8b3741df36f21425

SHA256
645ee6e64ed04825b25964d992d0205963498bb9d61f5a52be7e76ddb2074003

SHA512
20239782f4e30157fdfc02a3793ac7bde7ed74400de4cffa812805d680789ea7be5c2c765924d32f74807d80100cccc14b453d3d7e006dd4aeee60dec98af4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES805B.tmp

Filesize
1KB

MD5
16d4c639c6fe0a5726297a2049ce2d66

SHA1
9a34c391b722586ae8c391c9d03b6cb0ddd6761d

SHA256
0e28afe3a5566931f509ff38d6f3a2ce78548834f3c9b5e595917d417e3a31b4

SHA512
6da9016a722ee5427e64c4d92506b7605bfd8cee5b149fffa4247d884edffa63d1f5738bf931c95ab9e31ad20e9b52f653c2d9fcefe620a126c0598779c12c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25wne2tz.yvo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0j5nv0x5\0j5nv0x5.0.cs

Filesize
1KB

MD5
3fa19360e09832c3d711d4fe71911eae

SHA1
55a86c45af0f33419db93c39aaae09a06f610c78

SHA256
92a6b697b5bc2e42c280074823e06c1f39efc36fd985feff938b4f071756d28b

SHA512
880abc257e440799cbc718b39d776127e2a683cb5ffe4ebe426240aa52d7fbf6a4982b66b536388a88b00ed810088dc80b47e94297d24db89c1e2a92c982ec84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0j5nv0x5\0j5nv0x5.cmdline

Filesize
369B

MD5
ef8c771bf037bc7db679f62f34b9e232

SHA1
b74644f5664035b2e5dc1b510725d21e1d68f2a3

SHA256
640225e517b74fbb66e83dda559e427b69381552a4a7ea6e366893f6449dd7e5

SHA512
457952d718fafb0f87fcf26d27cb9877b80d79beff3a79519632437325fd3e275d5a7b5a371cf3857a5f8949e69e6e88f93bde2d764319928199a39503003282

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0j5nv0x5\CSCA08F35CC53CA4440AC12A252D3D9BAE7.TMP

Filesize
652B

MD5
25826a5faee8070e6a15751bd516229e

SHA1
5476c5eff095c56c44bb4ad69458ebf796e5a9be

SHA256
ac294121ea2bc20135d1d1910a0447718275941887076dfbf4d33b3a1e4f99fa

SHA512
16b5d8de921acb07ef3e0efd502d521d3efafd3b73f1580947c10f503df5108514c33e7a078c8bbb9fdf0b7298c0e35ff746d66ecf8d8dd97c0c3465ca7d92bd

Download Submit
memory/2956-48-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2956-47-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3436-41-0x0000000003010000-0x000000000301C000-memory.dmp

Filesize
48KB

Download
memory/3436-42-0x0000000003270000-0x0000000003282000-memory.dmp

Filesize
72KB

Download
memory/4888-12-0x0000017742F00000-0x0000017742F22000-memory.dmp

Filesize
136KB

Download
memory/4888-40-0x00007FFF286D0000-0x00007FFF29191000-memory.dmp

Filesize
10.8MB

Download
memory/4888-10-0x00007FFF286D0000-0x00007FFF29191000-memory.dmp

Filesize
10.8MB

Download
memory/4888-45-0x00007FFF286D0000-0x00007FFF29191000-memory.dmp

Filesize
10.8MB

Download
memory/4888-9-0x00007FFF286D3000-0x00007FFF286D5000-memory.dmp

Filesize
8KB

Download
memory/4888-11-0x00007FFF286D0000-0x00007FFF29191000-memory.dmp

Filesize
10.8MB

Download
memory/4888-35-0x0000017742A30000-0x0000017742A38000-memory.dmp

Filesize
32KB

Download