xenorat | 58eb8bb990ecf44f3906a6d1f26ad6d33fcb4ce46ffd3e45eeb5aff3711cbb75

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-29_b78b54b3cd92020748bfd9dbf6328b8b_ryuk.exe
Size

6.4MB
MD5

b78b54b3cd92020748bfd9dbf6328b8b
SHA1

0c5ac4a7dec5b6236c3b6c1c1bede3f31058e391
SHA256

58eb8bb990ecf44f3906a6d1f26ad6d33fcb4ce46ffd3e45eeb5aff3711cbb75
SHA512

6959f7818e851782eec5068967581d31379436dc6b23ee876b2486e5f053b9dfac44c227dad0817f0abc265445512557b488345a6287dcfa1264a51cc0c10d1b
SSDEEP

196608:/LbWorZnOETSo/g8xobLWtx+PNFWOgLfMgf:jbRqoo8U9F6Qg

Score

10^/10

xenorat defense_evasion discovery execution rat trojan

Malware Config

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3448-42-0x0000000002DF0000-0x0000000002E02000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4964	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4848	avira_en_asu80_137606563-1549701162__ws.exe
3372	avira_en_asu80_137606563-1549701162__ws.exe

Loads dropped DLL 3 IoCs

pid	Process
1752	2024-09-29_b78b54b3cd92020748bfd9dbf6328b8b_ryuk.exe
3372	avira_en_asu80_137606563-1549701162__ws.exe
3372	avira_en_asu80_137606563-1549701162__ws.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3792	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5036	3372	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avira_en_asu80_137606563-1549701162__ws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avira_en_asu80_137606563-1549701162__ws.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\avira_en_asu80_137606563-1549701162__ws.exe = "11001"	avira_en_asu80_137606563-1549701162__ws.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3372	avira_en_asu80_137606563-1549701162__ws.exe
3372	avira_en_asu80_137606563-1549701162__ws.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4964	3792	cmd.exe	87
PID 3792 wrote to memory of 4964	3792	cmd.exe	87
PID 4964 wrote to memory of 2396	4964	powershell.exe	89
PID 4964 wrote to memory of 2396	4964	powershell.exe	89
PID 2396 wrote to memory of 4396	2396	csc.exe	90
PID 2396 wrote to memory of 4396	2396	csc.exe	90
PID 4964 wrote to memory of 4848	4964	powershell.exe	91
PID 4964 wrote to memory of 4848	4964	powershell.exe	91
PID 4964 wrote to memory of 4848	4964	powershell.exe	91
PID 4964 wrote to memory of 3448	4964	powershell.exe	56
PID 4848 wrote to memory of 3372	4848	avira_en_asu80_137606563-1549701162__ws.exe	94
PID 4848 wrote to memory of 3372	4848	avira_en_asu80_137606563-1549701162__ws.exe	94
PID 4848 wrote to memory of 3372	4848	avira_en_asu80_137606563-1549701162__ws.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448
- C:\Users\Admin\AppData\Local\Temp\2024-09-29_b78b54b3cd92020748bfd9dbf6328b8b_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-29_b78b54b3cd92020748bfd9dbf6328b8b_ryuk.exe"
  2⤵
  - Loads dropped DLL
  PID:1752

C:\Windows\system32\cmd.exe
cmd.exe /c start "" /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1"
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\scwmhhgw\scwmhhgw.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9BD2.tmp" "c:\Users\Admin\AppData\Local\Temp\scwmhhgw\CSCF4EE8F8FA61D4E2A98988460AF8AAC2.TMP"
      4⤵
      PID:4396
- - C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\avira_en_asu80_137606563-1549701162__ws.exe
    "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\avira_en_asu80_137606563-1549701162__ws.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\Temp\{A2C97B60-9C1A-4289-92A7-C71819C00242}\.cr\avira_en_asu80_137606563-1549701162__ws.exe
      "C:\Windows\Temp\{A2C97B60-9C1A-4289-92A7-C71819C00242}\.cr\avira_en_asu80_137606563-1549701162__ws.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\avira_en_asu80_137606563-1549701162__ws.exe" -burn.filehandle.attached=688 -burn.filehandle.self=540
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 2564
        5⤵
        Program crash
        
        PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3372 -ip 3372
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.manifest

Filesize
47KB

MD5
cc33dd983987ebca596c79c9cdcb0ffa

SHA1
e982632bd4cf9d347e635ce9344a6ab2f9f02d1a

SHA256
a71890c3242997b8afd581a094cff19a7cb36df17e65aa9f6e5a3f7a991879f7

SHA512
bf1c9c6b6f3848dfcc47cae026943dad9b2bee5c707a2aa1a25d05a9b800a089159f34a6c53b150fe5d73af3dcaf551283d7d4b5ae2d0d5ecb7cf99206b4d270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1

Filesize
5KB

MD5
1727087f01416cbfe06f231842e220ba

SHA1
5e6522a3085aba2c98d2634381fcadf78190b52c

SHA256
3ee928b83e7580951ab0ea82eebec1ce1eb847498d585400824f004b6c6a1326

SHA512
e3593b978d9dff7d9749c41419e414f81b81db39011644b5d0c529c65370f61d6f197dea93f45edc1bf585b6e29aac2938dd9c599677d5c04b19126b9c26d8ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\avira_en_asu80_137606563-1549701162__ws.exe

Filesize
5.5MB

MD5
2e4a59f6b576a91bfd118b705ac66e04

SHA1
e182093b61d6d00fac739afdb318eff01d32be5a

SHA256
3cd7ee9260ec23c688605b65dfabf4f0f0c32d871fc5f650aa49dc09cb52ed18

SHA512
5a1c94e73560b65ef7022c4b9468c6ea1df53b706d09068cb0c1f38166d5feaed2d7995ca146c1441eaa59361f099e88b54172ff878c1025838a5356bc136ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wAPI.dll

Filesize
6.1MB

MD5
8bb869839186d632609da94b6b9a8d89

SHA1
c5138bc03a64ed13e2ff0c3b829c6f573d034d62

SHA256
7e7d6d3b5b9f2da5cdecf3cfea7d415a9ec6819e98aff2fa84d5e0fa16bd2a97

SHA512
1180fd9842762d75fd7c3fb0640d865b80b1c604e4617845c9b3f121a39dec03d5a572c21aed4331e1916585785e3ae68ac248ee64c93cbcc0b2b957bff60703

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9BD2.tmp

Filesize
1KB

MD5
66d2e2952a4b61ebfa450cbf3939428f

SHA1
65bf029010f0e99d4527af680a261548aeb8abc6

SHA256
5d25c93dd53e94c3bd336f5b863bec00427772ddd3bdad62b5eb9c6b7154c2ee

SHA512
f929ee5f24831d3fc1157a2472566bb7660d59975053f9e5833c696840ff4dfe353c7bdf9c44876df7c5315f6864e761299c0ad9aa7d228c66771c34e6d7d4c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ix4srcl2.qfv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scwmhhgw\scwmhhgw.dll

Filesize
4KB

MD5
032859c1de0acb8b442415201b36bedd

SHA1
9eb565cdca1a346a68f8df40133c3457598efc99

SHA256
a6db5f57da5a4e6036c538039b2594a6ace3ab0301d552f8d77b7be8211b0469

SHA512
e74972a4e23371f70954414334cda4bc97c69a7ba85fa3452d06540c1064c077acab0125aee92ed2b002504b4815a201d3eefc77f74dadd9d1bb3b9d928492ca

Download Submit
C:\Windows\Temp\{A2C97B60-9C1A-4289-92A7-C71819C00242}\.cr\avira_en_asu80_137606563-1549701162__ws.exe

Filesize
1.2MB

MD5
f07ba2c3c4f6e0a0af82876c124afebe

SHA1
2f6d631e760fd8746d16f38066cb409a2e7bc5cd

SHA256
de63c6c342896d1de61c5acc0886fb2fc77ce5625ceacae6919c1207a67c7fb3

SHA512
84d4511b6c8aafa7d03c26d57d8b8fdc2c57df34f95a67de9a786b8d8f0d742e90c0123cc999673f99c758ac5dab145203ae839fae17fabb988747254e7e5942

Download Submit
C:\Windows\Temp\{C844DBDA-B8CF-4A84-A7FD-8D15AC5FCAB6}\.ba\Avira.OE.Setup.InstallationCore.dll

Filesize
638KB

MD5
2818591ee0235bc4789b67df54304a0e

SHA1
fa8baa1c50e1ffab000b7fea2edabc67d6724ed6

SHA256
a860e326c3ca24d39b422509f0b119938bad8024bb7b3604a635e467226af8e7

SHA512
73cbefe464e9b3d17398625a48d983c363a78fa70b3731dd6d04fea6526f655361605d56829f4618e157079f34ac41b30c52a9eadf13192de547d3778e823d84

Download Submit
C:\Windows\Temp\{C844DBDA-B8CF-4A84-A7FD-8D15AC5FCAB6}\.ba\Ui\page.html

Filesize
6KB

MD5
8d12108df79297a8a3709dc913501ef2

SHA1
4f3b907d2a56b95a53e9c2b757cedfd3b083f295

SHA256
d2e1cdd3244338f219978c725be1375956cd06bcf65e1634453f33c4aff18221

SHA512
55a06dddc2cb3c03575634ccde742ef9f631385c5e22932110cf8554a7fb36b8b1ff4fde5c53a8877fc78732c2aeaeb13d63ae55034888e9c64c93086019b04c

Download Submit
C:\Windows\Temp\{C844DBDA-B8CF-4A84-A7FD-8D15AC5FCAB6}\.ba\Ui\scripts\jquery.min.js

Filesize
93KB

MD5
f03e5a3bf534f4a738bc350631fd05bd

SHA1
37b1db88b57438f1072a8ebc7559c909c9d3a682

SHA256
aec3d419d50f05781a96f223e18289aeb52598b5db39be82a7b71dc67d6a7947

SHA512
8eeeaefb86cf5f9d09426814f7b60e1805e644cac3f5ab382c4d393dd0b7ab272c1909a31a57e6d38d5acf207555f097a64a6dd62f60a97093e97bb184126d2a

Download Submit
C:\Windows\Temp\{C844DBDA-B8CF-4A84-A7FD-8D15AC5FCAB6}\.ba\Ui\scripts\main.js

Filesize
2KB

MD5
b6e79cc5559a7d4aa15e607e6c9a4435

SHA1
b029056d4228931c65c36b543b7750d645344eb3

SHA256
56eb30ad85dc6ac21258bf86dc38999b8ec181d6e695653605afee194c89a9e4

SHA512
d829aafb959a6e9d7b702f7ab30d226a9d54ecfb6bebb33193a1edf7fb778bbdda4089a95346f974ed7466abbee130c652effe3e368d1011a994d35bcf07b219

Download Submit
C:\Windows\Temp\{C844DBDA-B8CF-4A84-A7FD-8D15AC5FCAB6}\.ba\WixStdBA.dll

Filesize
271KB

MD5
3d884ae625cf751447d82a315becec34

SHA1
82f7f635f44f84975fc8858bc70626b9f52197da

SHA256
361b9b647b0918c251374f5cee0decaed935725a36db20de882f614223edca04

SHA512
fefd6a95073d865f7868c0f9acc6fa895bfb1af60a32f2ff52688c6f23139a617e6ca8cc89a5a81b884f7870d052d3d3bedbadb09fbf872212fd174cda513acc

Download Submit
C:\Windows\Temp\{C844DBDA-B8CF-4A84-A7FD-8D15AC5FCAB6}\.ba\logo.png

Filesize
4KB

MD5
199ad0ae37d27171ceb3f99666d037ff

SHA1
24dfd957229bcbce96d853252721d7a015361c8b

SHA256
df9b0c0eb348162383522a326e2bfc9e0ba0d9621478ab6efccf30e6c698f117

SHA512
e6e712d8feeb699be70078f22085fbd9e7300f5550a9088727768da9a46f80bcd1f263032b64b7891cfde657a8148b64d83417024176d547b135f966fe4ad8d4

Download Submit
C:\Windows\Temp\{C844DBDA-B8CF-4A84-A7FD-8D15AC5FCAB6}\.ba\progress.gif

Filesize
23KB

MD5
0a8845f9504c4308995cafef392c4bd6

SHA1
91016679643297ca68f508832eaff1ea10cd4602

SHA256
3c27dfe3da72200a4417ed13027736f87ea8166190b418162d1e883733fdbfc9

SHA512
71210d3ac26b28e6ff7942da09d88f95cd04e32067665d5a9096eeeca8a635521ed1748037e79b11ec7f16a24bc799d21ab01a3542dddbd0d72e77a88e15ddc4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\scwmhhgw\CSCF4EE8F8FA61D4E2A98988460AF8AAC2.TMP

Filesize
652B

MD5
da3ed3608ca3c8579916a9aea22f4dd1

SHA1
da97e9b9cb2720133e6149616dd0fa3117fb3dc0

SHA256
d0372b4ad3e42b08db9fbfa927d5ef82749f2992507c70854540289f561bac03

SHA512
7ac114849da218a8f63cb1f93a50b7688821a9c12db4276284f305f4aaf82a6b9d5e6dcd46a4121f8c44f11eb423888f8b9bcfb7ff32e12b3f2981b20ff2a3ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\scwmhhgw\scwmhhgw.0.cs

Filesize
1KB

MD5
3fa19360e09832c3d711d4fe71911eae

SHA1
55a86c45af0f33419db93c39aaae09a06f610c78

SHA256
92a6b697b5bc2e42c280074823e06c1f39efc36fd985feff938b4f071756d28b

SHA512
880abc257e440799cbc718b39d776127e2a683cb5ffe4ebe426240aa52d7fbf6a4982b66b536388a88b00ed810088dc80b47e94297d24db89c1e2a92c982ec84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\scwmhhgw\scwmhhgw.cmdline

Filesize
369B

MD5
97b0f391876ff8ab537140a329320c32

SHA1
9c37c9365de8beffa1dc3d85e5af4997e2a6d5e7

SHA256
e6bc1c7c042d23d78e0feb1a35b1b3bf062cee64edbe28900ffdc44438f1fbde

SHA512
285fd78c4dd0e6eeacf618bae82f3633ef349dcddd75701495b30bbe86cafff688ccf8fee9cfe006c1e96bfc26f262ea42c609fd4d670487fb3d777dd62aad22

Download Submit
memory/3448-41-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/3448-42-0x0000000002DF0000-0x0000000002E02000-memory.dmp

Filesize
72KB

Download
memory/4964-35-0x000002129B600000-0x000002129B608000-memory.dmp

Filesize
32KB

Download
memory/4964-46-0x00007FFF53DD0000-0x00007FFF54891000-memory.dmp

Filesize
10.8MB

Download
memory/4964-40-0x00007FFF53DD0000-0x00007FFF54891000-memory.dmp

Filesize
10.8MB

Download
memory/4964-21-0x00007FFF53DD0000-0x00007FFF54891000-memory.dmp

Filesize
10.8MB

Download
memory/4964-20-0x00007FFF53DD0000-0x00007FFF54891000-memory.dmp

Filesize
10.8MB

Download
memory/4964-19-0x000002129B590000-0x000002129B5B2000-memory.dmp

Filesize
136KB

Download
memory/4964-9-0x00007FFF53DD3000-0x00007FFF53DD5000-memory.dmp

Filesize
8KB

Download