Analysis
-
max time kernel
140s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2024 08:40
General
-
Target
wahoo.exe
-
Size
45KB
-
MD5
783cb143f722d2b7950d83cd5056de12
-
SHA1
c93a49a4cb10dcc9a39b435d4da209596201edaf
-
SHA256
a3d838b5f60887240be29ec626a5cbcb4785066f0785a524e9f90dcf4cae3e76
-
SHA512
727b00d454f15907ccbcabd5be819745d5f3876c28f09c7a94941c2b033591f1f4d1adb61f28bea5933b2395bdd37d9d23bc59d946a36d8dc6c3f3387744d1ed
-
SSDEEP
768:SdhO/poiiUcjlJInWsWH9Xqk5nWEZ5SbTDavuI7CPW5h:0w+jjgnYH9XqcnW85SbTSuI5
Malware Config
Extracted
Family
xenorat
C2
192.168.1.223
Mutex
Xeno_rat_nd8912d
Attributes
-
delay
5000
-
install_path
nothingset
-
port
4444
-
startup_name
lika
Signatures
-
Detect XenoRat Payload 1 IoCs
resource yara_rule behavioral1/memory/3884-1-0x0000000000780000-0x0000000000792000-memory.dmp family_xenorat -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings taskmgr.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3444 taskmgr.exe Token: SeSystemProfilePrivilege 3444 taskmgr.exe Token: SeCreateGlobalPrivilege 3444 taskmgr.exe Token: 33 3444 taskmgr.exe Token: SeIncBasePriorityPrivilege 3444 taskmgr.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe -
Suspicious use of SendNotifyMessage 52 IoCs
pid Process 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe 3444 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3884 wrote to memory of 1260 3884 wahoo.exe 83 PID 3884 wrote to memory of 1260 3884 wahoo.exe 83 PID 3884 wrote to memory of 1260 3884 wahoo.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\wahoo.exe"C:\Users\Admin\AppData\Local\Temp\wahoo.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "lika" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78BA.tmp" /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1260
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3444
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cb6899a5498a2c5eb0ca3b7d805278f7
SHA122e68e845f5f1e128e5f97b2c7a82e1b51f2b265
SHA25628a07ac8b6718b61d3414c781cb14658c0fa87d2b31294311ff9ac99f5bf12de
SHA51213877626e67851066bde1e21c7f676a504ff021d8141edf8105ff3f6b4b472185f5ba0be9dd28ba0d0fe11ff604e77457b5bcfcb40a8a02a524e2c95a12c7bf9