Overview

overview

10

Static

static

10

something.exe

windows11-21h2-x64

10

Resubmissions

15-10-2024 19:35

241015-yav4raxckm 10

15-10-2024 19:34

241015-x98nfsxbql 10

Analysis

  • max time kernel
    45s
  • max time network
    13s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-10-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    something.exe

  • Size

    45KB

  • MD5

    2755eec715f4be9c61e964bf57d75c80

  • SHA1

    638afd519332a470e6a4a63abf9df3ca65787f9d

  • SHA256

    07c1bf391c3054918d6843413a6c8e5cd62d7479173565708db41c97a2a0212d

  • SHA512

    ea70723cb1ce760c8e24f067382cd6a6f64894a5de597f349913454a6c41c28516279c6e89dadaae1f748b39d72b821d5f77b3425f735a0f2cad7c26007527a7

  • SSDEEP

    768:FdhO/poiiUcjlJInwVH9Xqk5nWEZ5SbTDazuI7CPW5N:bw+jjgn4H9XqcnW85SbTuuIl

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    6932

  • startup_name

    SYSTEM

Signatures

  • Detect XenoRat Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\something.exe
    "C:\Users\Admin\AppData\Local\Temp\something.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3712
    • C:\Users\Admin\AppData\Roaming\XenoManager\something.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\something.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "SYSTEM" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6FE.tmp" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4368
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\something.exe.log
    Filesize

    226B

    MD5

    1294de804ea5400409324a82fdc7ec59

    SHA1

    9a39506bc6cadf99c1f2129265b610c69d1518f7

    SHA256

    494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

    SHA512

    033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\~earchHoverUnifiedTileModelCache.tmp
    Filesize

    10KB

    MD5

    1e7dd00b69af4d51fb747a9f42c6cffa

    SHA1

    496cdb3187d75b73c0cd72c69cd8d42d3b97bca2

    SHA256

    bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771

    SHA512

    d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpA6FE.tmp
    Filesize

    1KB

    MD5

    9b4081412ecbcdc23a84a35755d4c798

    SHA1

    2d2dd6f3187f4c1559add7da5965be481f6cf91d

    SHA256

    11513abcfce862a20d8e67ca88a3ae0d44d05d2a74faddb5e4b8b7012325a6e8

    SHA512

    494fb04f64966b4d18f13b3b4897d15192b91f015abc1c373ca59b25cc437eda53c9f5c8659c7698286c380c9cf900520ff93eb9b6b2afbae3b073f8303eeca1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XenoManager\something.exe
    Filesize

    45KB

    MD5

    2755eec715f4be9c61e964bf57d75c80

    SHA1

    638afd519332a470e6a4a63abf9df3ca65787f9d

    SHA256

    07c1bf391c3054918d6843413a6c8e5cd62d7479173565708db41c97a2a0212d

    SHA512

    ea70723cb1ce760c8e24f067382cd6a6f64894a5de597f349913454a6c41c28516279c6e89dadaae1f748b39d72b821d5f77b3425f735a0f2cad7c26007527a7

    Download Submit

  • memory/3708-15-0x0000000074C00000-0x00000000753B1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3708-18-0x0000000074C00000-0x00000000753B1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3708-19-0x0000000074C00000-0x00000000753B1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3712-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3712-1-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

    Filesize

    72KB

    Download