xenorat | abc242f7c5ef7c85c38a5101ceb9897032a2e24bbd9558810eb03b9121bf0fcb

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409290ecc69497bfd0ed6477cd052abdc26c2ryuk.exe
Size

12.5MB
MD5

0ecc69497bfd0ed6477cd052abdc26c2
SHA1

026e312c3a6002cbfbcb2522f07b509eedd89c20
SHA256

abc242f7c5ef7c85c38a5101ceb9897032a2e24bbd9558810eb03b9121bf0fcb
SHA512

4beedc6b2afeb395bc34b9384478897c1e6749cb5e6e6403cdf5ec9f7ec4df310bbe56a677a1e82b2e4c17e1a7e91305a507b1c79c29369feab4b02dbb5639a5
SSDEEP

393216:0JLqi6PpxRBQ+7IqVZPoFka4GsHwSrewvEWOxXqOkSR2gvS:7isxR3h8kt1/iw8H2

Score

10^/10

xenorat defense_evasion discovery execution rat trojan

Malware Config

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3428-42-0x00000000032F0000-0x0000000003302000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4748	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2212	idman642build21.exe
968	IDM1.tmp

Loads dropped DLL 1 IoCs

pid	Process
3864	202409290ecc69497bfd0ed6477cd052abdc26c2ryuk.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3452	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman642build21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4748	powershell.exe
4748	powershell.exe
4748	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 4748	3452	cmd.exe	90
PID 3452 wrote to memory of 4748	3452	cmd.exe	90
PID 4748 wrote to memory of 4980	4748	powershell.exe	94
PID 4748 wrote to memory of 4980	4748	powershell.exe	94
PID 4980 wrote to memory of 4696	4980	csc.exe	95
PID 4980 wrote to memory of 4696	4980	csc.exe	95
PID 4748 wrote to memory of 2212	4748	powershell.exe	96
PID 4748 wrote to memory of 2212	4748	powershell.exe	96
PID 4748 wrote to memory of 2212	4748	powershell.exe	96
PID 4748 wrote to memory of 3428	4748	powershell.exe	56
PID 2212 wrote to memory of 968	2212	idman642build21.exe	97
PID 2212 wrote to memory of 968	2212	idman642build21.exe	97
PID 2212 wrote to memory of 968	2212	idman642build21.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3428
- C:\Users\Admin\AppData\Local\Temp\202409290ecc69497bfd0ed6477cd052abdc26c2ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\202409290ecc69497bfd0ed6477cd052abdc26c2ryuk.exe"
  2⤵
  - Loads dropped DLL
  PID:3864

C:\Windows\system32\cmd.exe
cmd.exe /c start "" /min powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1"
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uah4s52b\uah4s52b.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1112.tmp" "c:\Users\Admin\AppData\Local\Temp\uah4s52b\CSC898D865AD07C41148BE5CB47EDEBDA28.TMP"
      4⤵
      PID:4696
- - C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\idman642build21.exe
    "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\idman642build21.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
      "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.manifest

Filesize
47KB

MD5
6fec4faacf51e3f656421e6cf5217299

SHA1
b4963d03ae835f9b064491dce20108f9450e7507

SHA256
582524e8046a86b6729bd9c3032f0da3d2b99c9eb537cce4b827b1a55d65a638

SHA512
2b2951dfb9c856cfcee73f5dab6218118b98e98cfa7bc47f5d241215024863da5b0d08ebab43475ca97fd13ca2d3ddf5ecdb5a16bdb117fb5bb0a506b6a7fe26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\app.ps1

Filesize
5KB

MD5
3aca65418fc9e4d69d2a5e4245d1b4e9

SHA1
702f7cfe36511cd3fc1eede39220769ea9b10b4a

SHA256
48e0d380660392f5a346b7a936ddf463097beec8abb24978cb4a364baac5dbac

SHA512
80ec0ddeb72de4b81906eef0d96e1586de38957588692326c057a2426bb471ed8906aa8423e40a6075d39e8d5577b5f6cbe08d2de7466fcddc3bdb55ab04ba38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\idman642build21.exe

Filesize
11.7MB

MD5
44cd33e863e57dc39666dccf49d4de2a

SHA1
32b8afd118e6add60eaa852d0687718ddd3351e7

SHA256
b39cc874fda44ea0d38e0e28a8a7d257171a00f3153262c8dba853069b18a963

SHA512
dbb1f571af8e4429dbef7a9fd46458bec86bcbe85449b2da0a366f41a20f3b77f001e6f4e9bcbcf9463cb0ee9e616f2a2c78653ecf2915c367dfcd9c3ae41afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\wAPI.dll

Filesize
12.3MB

MD5
06044c2518fb6e8448496a7dbb408484

SHA1
b3670507fe37c3db352cda789ac48e21d0146009

SHA256
a0903fad6dff1bf677672efec4a1a2a11c1521d5066ba794ebfd76f60b41e4aa

SHA512
c1c12d73992933c007dfbf635fce46b3ead643bf89580c0879040859502ed7ff3af5cb99d4aed74b2f9c0a44f3f1a2aafb52024693e9e97471d32fb22246be23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
162KB

MD5
1c734d0ded634d8e17a87aba3d44f41d

SHA1
4974769d1b1442c48dd6b6fb8b3741df36f21425

SHA256
645ee6e64ed04825b25964d992d0205963498bb9d61f5a52be7e76ddb2074003

SHA512
20239782f4e30157fdfc02a3793ac7bde7ed74400de4cffa812805d680789ea7be5c2c765924d32f74807d80100cccc14b453d3d7e006dd4aeee60dec98af4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1112.tmp

Filesize
1KB

MD5
69da8a75bfcbbba333a4716059da7a7e

SHA1
37cd34b4a4a063c19e3c6584c1a006c6f4501b63

SHA256
df12f4a78eaf04bdcec41cad789b77fdaa9e2038a6258eb0370812ce9f9f09bc

SHA512
61a146dc0e08b0290956154b03b8bb25a87c2ce2c444a6c037a2bbe3239b4e36eb6e540ff9bff0b83a48fa90518ffc91e382ec2747a4d0c8281f632436074d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cqbwbn2y.pcj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uah4s52b\uah4s52b.dll

Filesize
4KB

MD5
b620ec0d0125c1d2473e7e241deb5da8

SHA1
cf60a6d9aa8b81ea8a0890c65b6584807c225bba

SHA256
8b437012dbd557e61994552deb4f2014a701404fdc40b7ca2cac794414cff42e

SHA512
64a1a4b3004b7a9bc25c50d405be0e604c96fbddf9173520f89c19f985447d008f85e6213f4c4b2c8704321e9c1d72c58388bb38eb158ad7442d0050c6efc27a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uah4s52b\CSC898D865AD07C41148BE5CB47EDEBDA28.TMP

Filesize
652B

MD5
9908806225f198b4995304842a902af4

SHA1
b8deb1df7c03cda064ff6ef42becfe48adb50990

SHA256
a083be1ca617ab86cf2623c658cdb6dd8c9292d5d1ac2f7b2e140674b5b51b17

SHA512
8df161ab44288b29c7e17a58b675b8baf22b93b0dd1d192c553dc8a35f47ce110f813fdcd87fab514a0a2f8cd12e6f999749c3c15b3cd87e22216f001e1b43d0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uah4s52b\uah4s52b.0.cs

Filesize
1KB

MD5
3fa19360e09832c3d711d4fe71911eae

SHA1
55a86c45af0f33419db93c39aaae09a06f610c78

SHA256
92a6b697b5bc2e42c280074823e06c1f39efc36fd985feff938b4f071756d28b

SHA512
880abc257e440799cbc718b39d776127e2a683cb5ffe4ebe426240aa52d7fbf6a4982b66b536388a88b00ed810088dc80b47e94297d24db89c1e2a92c982ec84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uah4s52b\uah4s52b.cmdline

Filesize
369B

MD5
67e67b356e1e47fc3e285dbf6243be64

SHA1
30025c5a64720a35f08224af124cc77c3fae655c

SHA256
a869079d7920f3b829fba57d3d7bf5810de3799463588b68af365bd13f211b0a

SHA512
5c52e0b673a1155743a6d2c71b8828c1361c3710495172fc43aff71f607f2461406ce1e2893c50fa0e1aa5dcf7de49df1d3a81085484d9a326f22ee7991012b2

Download Submit
memory/968-47-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/968-48-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3428-41-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/3428-42-0x00000000032F0000-0x0000000003302000-memory.dmp

Filesize
72KB

Download
memory/4748-21-0x00000165460D0000-0x00000165460F2000-memory.dmp

Filesize
136KB

Download
memory/4748-40-0x00007FFC09B00000-0x00007FFC0A5C1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-35-0x0000016546100000-0x0000016546108000-memory.dmp

Filesize
32KB

Download
memory/4748-45-0x00007FFC09B00000-0x00007FFC0A5C1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-20-0x00007FFC09B00000-0x00007FFC0A5C1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-10-0x00007FFC09B00000-0x00007FFC0A5C1000-memory.dmp

Filesize
10.8MB

Download
memory/4748-9-0x00007FFC09B03000-0x00007FFC09B05000-memory.dmp

Filesize
8KB

Download