Overview

overview

10

Static

static

3

Transferencia.exe

windows7-x64

10

Transferencia.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    292s
  • max time network
    296s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Transferencia.exe

  • Size

    712KB

  • MD5

    205f93678f0207a93801654d71ddb792

  • SHA1

    4f5aa1639d9c85d93060ebecd17fbe7f0fef313c

  • SHA256

    3138fbe3448390de473a313644fd2a205e7e08de043d5097b37db857c40bfad0

  • SHA512

    0784187f0c40f1d428c3b982797f95c29485c43b8197ecaff305f926994222bc7e1f7de4f98205376a86f81676485c232f8732c1e756d159a5bf74d13f1f5a20

  • SSDEEP

    12288:JcrNS33L10QdrX4FBojL8DPNYnyV1Rotvwd2CO078/iY7Qlz9Rq/CvrvU:0NA3R5drX4GcPNYyr2voO078/iQI9RqN

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

87.120.116.115

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    50000

  • install_path

    appdata

  • port

    1391

  • startup_name

    nothingset

Signatures

  • Detect XenoRat Payload 1 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Transferencia.exe
    "C:\Users\Admin\AppData\Local\Temp\Transferencia.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\fyudhid.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Users\Admin\AppData\Roaming\fyudhid.sfx.exe
        fyudhid.sfx.exe -dC:\Users\Admin\AppData\Roaming -pbotadelifsujhmgtpswngjMitredfdtixgtoqxqegujhtfeswczafugybsbBbsdhdqbqeku
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Users\Admin\AppData\Roaming\fyudhid.exe
          "C:\Users\Admin\AppData\Roaming\fyudhid.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Users\Admin\AppData\Roaming\fyudhid.exe
            C:\Users\Admin\AppData\Roaming\fyudhid.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5036
            • C:\Users\Admin\AppData\Roaming\UpdateManager\fyudhid.exe
              "C:\Users\Admin\AppData\Roaming\UpdateManager\fyudhid.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Users\Admin\AppData\Roaming\UpdateManager\fyudhid.exe
                C:\Users\Admin\AppData\Roaming\UpdateManager\fyudhid.exe
                7⤵
                • Executes dropped EXE
                PID:3400
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 80
                  8⤵
                  • Program crash
                  PID:3008
              • C:\Users\Admin\AppData\Roaming\UpdateManager\fyudhid.exe
                C:\Users\Admin\AppData\Roaming\UpdateManager\fyudhid.exe
                7⤵
                • Executes dropped EXE
                PID:264
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 80
                  8⤵
                  • Program crash
                  PID:2372
          • C:\Users\Admin\AppData\Roaming\fyudhid.exe
            C:\Users\Admin\AppData\Roaming\fyudhid.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1456
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks.exe" /Create /TN "UpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FF9.tmp" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:312
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\paymt_dates.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:244
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3400 -ip 3400
    1⤵
      PID:2096
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 264 -ip 264
      1⤵
        PID:4564

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fyudhid.exe.log
        Filesize

        706B

        MD5

        d95c58e609838928f0f49837cab7dfd2

        SHA1

        55e7139a1e3899195b92ed8771d1ca2c7d53c916

        SHA256

        0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

        SHA512

        405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp7FF9.tmp
        Filesize

        1KB

        MD5

        b3936111cd0f3541ff0a5b1b98ab97b8

        SHA1

        93e7aac1d64cdbf0bd35b5b29e768a7be8f7a1c7

        SHA256

        e5589df5ada28fb330ce75e847e93b60ef4ba90003001c6cb7915fc1309a52d9

        SHA512

        bb88bb21cc7d335f9905f236e0b96ba8b0e9fed8427ef94d8d405b09b616836b169f23302a17ecda163bcb2a2383e9fcc91abcc2f9e0ad66b20a374b676b59bf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fyudhid.bat
        Filesize

        16KB

        MD5

        92d61c851d77c26075f502b5683659cf

        SHA1

        6aa42164e0aa6ab877471f9dc9e9989435bfe272

        SHA256

        40c853fbdadf9cbe18c8bdab9c82f8b08c74f6471e0ed3872e3638770cd1ad1d

        SHA512

        b5690ba5f1095a5f25bc3b4dff739736bafbbd4c91bf8d833aefb3293e8c3d31085383150d841e7645e95eb361959e1bf2b3d85698d2b565b83018e4e80763fc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fyudhid.exe
        Filesize

        248KB

        MD5

        fc52857470de4fba6092850903ac717b

        SHA1

        31a6cca56275235ede3c119e71179ade5f2e6920

        SHA256

        f7f878630e1d923f29845b0462d6449602457080a5b7ce7099db207598a3bec1

        SHA512

        c4c34e3e59fddc2305faa224f6d6349c66245e87e104f65885072aec780b8c18f62021cbb158c679bb0963d7b5c7c25a2194747f398df27b473b608012e2a2b3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fyudhid.sfx.exe
        Filesize

        477KB

        MD5

        be09bfaf5845333ecbacdd6af8d35e03

        SHA1

        a1a6e588c3e44304604c9277f91f3bb562933c0e

        SHA256

        a10a3a94a9c0ed8bb2772c93a57d243ff6be9911aeaaaf03909f443226f6a64d

        SHA512

        3d9aa17b6fd84bd8c7791249d2734b9ad7858c1adf5d7db795ceda2627db1dc15b71d65bea55373881c8796125c8f22902250f62b360e661fa3f966edfab2b3f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\paymt_dates.txt
        Filesize

        24B

        MD5

        1f2dbffd7ff7d7d6dcbc424beda05107

        SHA1

        8d24f2aac5f1cb33b6c04d5a38257353f7f5bd86

        SHA256

        32497ecb378cdeb6844225e78c8b7297d9ae2553b3bd01483ce043177ccbad58

        SHA512

        018e645d4d46969a40e67342feba0b38c5af698d8ac25f2a38eb6af290f77f866cda1dad8d431a6eecc719dfe95af2b86a5db2eeab46593135a49b47902bf6a9

        Download Submit

      • memory/1484-28-0x0000000005370000-0x00000000053B0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1484-29-0x0000000008920000-0x00000000089BC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1484-30-0x0000000008F70000-0x0000000009514000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1484-31-0x0000000008A60000-0x0000000008AF2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1484-32-0x0000000006500000-0x0000000006506000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1484-27-0x0000000001490000-0x0000000001496000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1484-26-0x00000000009E0000-0x0000000000A26000-memory.dmp

        Filesize

        280KB

        Download

      • memory/5036-33-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download