xenorat | 6958e71ec05520b33c77de4fdfca9fb56c41699a0b47af066fca79e5df70eb73

Analysis

max time kernel
599s
max time network
428s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MinecraftModPackBedrock.exe
Size

447KB
MD5

7ffb057756968e3f079a8495fcdf3f29
SHA1

12f35b1e806a0246fb3d6bb7d43a86903f319a41
SHA256

6958e71ec05520b33c77de4fdfca9fb56c41699a0b47af066fca79e5df70eb73
SHA512

77c069eda9de18f967666e9ddc1daa5e3a8f14dfd01c2c5e4756b981ae879d87b8cf02fb7029f5d451ecffc951ab78e5474196d90a52c2057f2c733527ab821c
SSDEEP

1536:Rw+jjgnaoH9XqcnW85SbT+uIDMCLsYaZ69ImcWxoGhvvvjtTTTEKY55aaaaaaaaJ:Rw+jqa691UbT+BMrKImcWnTTT4v

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Minecrafr_Mod

Attributes

delay
5000
install_path
appdata
port
4782
startup_name
MinecraftIsCool

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4612-1-0x0000000000A80000-0x0000000000AF6000-memory.dmp	family_xenorat
behavioral1/files/0x000700000002347d-6.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	MinecraftModPackBedrock.exe

Executes dropped EXE 1 IoCs

pid	Process
4988	MinecraftModPackBedrock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MinecraftModPackBedrock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MinecraftModPackBedrock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3092	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 4988	4612	MinecraftModPackBedrock.exe	82
PID 4612 wrote to memory of 4988	4612	MinecraftModPackBedrock.exe	82
PID 4612 wrote to memory of 4988	4612	MinecraftModPackBedrock.exe	82
PID 4988 wrote to memory of 3092	4988	MinecraftModPackBedrock.exe	83
PID 4988 wrote to memory of 3092	4988	MinecraftModPackBedrock.exe	83
PID 4988 wrote to memory of 3092	4988	MinecraftModPackBedrock.exe	83

C:\Users\Admin\AppData\Local\Temp\MinecraftModPackBedrock.exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftModPackBedrock.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Users\Admin\AppData\Roaming\XenoManager\MinecraftModPackBedrock.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\MinecraftModPackBedrock.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "MinecraftIsCool" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9AE8.tmp

Filesize
1KB

MD5
f5f470e2965b765e7c01ea26fe92674e

SHA1
3eb9a3518ae95beb592ad893575de7dd50964e7c

SHA256
31f19df246c4b2abf6e11a2d3ea489b2838373a67b935c290995a196133e5f3b

SHA512
a1438093fcd68693532fc81a1be84002761aa85c6f0095cd7d9cf918008adca7ea4868fe4d47639fe0cddbda598b2db56539712e3417f7a3a48dd24d879e5891

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\MinecraftModPackBedrock.exe

Filesize
447KB

MD5
7ffb057756968e3f079a8495fcdf3f29

SHA1
12f35b1e806a0246fb3d6bb7d43a86903f319a41

SHA256
6958e71ec05520b33c77de4fdfca9fb56c41699a0b47af066fca79e5df70eb73

SHA512
77c069eda9de18f967666e9ddc1daa5e3a8f14dfd01c2c5e4756b981ae879d87b8cf02fb7029f5d451ecffc951ab78e5474196d90a52c2057f2c733527ab821c

Download Submit
memory/4612-0-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/4612-1-0x0000000000A80000-0x0000000000AF6000-memory.dmp

Filesize
472KB

Download
memory/4988-14-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4988-17-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/4988-18-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads