xenorat | 8ea18eece31949fcbf403dcd372a686cb70cb41272c3fade7248a272d74a003a

Analysis

max time kernel
44s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Blue.cc Temp Woofer.exe
Size

282KB
MD5

bd58be40cf8514257afa679943e3d985
SHA1

6c1e0bfcdb791e4dc392983f750d41750ff03f0d
SHA256

8ea18eece31949fcbf403dcd372a686cb70cb41272c3fade7248a272d74a003a
SHA512

9b7ba96204c0a7987fba24a9fee589edc19737445fb007eb687c3b3f037a412d550f9315835b95f7cef74a37d2b6f85bd00d7e6086ef38b4154d4001febe8f3c
SSDEEP

1536:9w+jjgneH9XqcnW85SbTCWIa7tMuBtzGulxuJVZ2eY7WHpqiH:9w+jqA91UbTC2t7leZ2eWNo

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

192.168.244.72

Mutex

Blue.cc Temp Woofer

Attributes

delay
10
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4328-1-0x0000000000C90000-0x0000000000CDC000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blue.cc Temp Woofer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	taskmgr.exe
Token: SeSystemProfilePrivilege	2796	taskmgr.exe
Token: SeCreateGlobalPrivilege	2796	taskmgr.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\Blue.cc Temp Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\Blue.cc Temp Woofer.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4328

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2796-13-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-11-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-9-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-3-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-10-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-5-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-14-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-15-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-4-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/2796-12-0x000001A1B11B0000-0x000001A1B11B1000-memory.dmp

Filesize
4KB

Download
memory/4328-1-0x0000000000C90000-0x0000000000CDC000-memory.dmp

Filesize
304KB

Download
memory/4328-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/4328-2-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4328-16-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/4328-17-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4328-18-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download