d4494d6239ab355a31308234f5c4508c6b31cb2e89e0636101de41bd60d544fb

Analysis

max time kernel
115s
max time network
121s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19/11/2024, 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno-v1.0.9-x64-New.zip
Size

7.1MB
MD5

b32e1b06f1a530bdfd3c43abde00df1e
SHA1

5f25d1ce95c71963b67708e13739b8e3ebd65d9b
SHA256

d4494d6239ab355a31308234f5c4508c6b31cb2e89e0636101de41bd60d544fb
SHA512

5f249c82222bcf8ce8b3e65720c2aa362c8ab6ff53c4aa5e1193a9f48ad628a7edf18f4756f3091f8b0ba0498dd0ef82fe0fe787c5e31a404679b8bea1171e93
SSDEEP

196608:gCoNYe5eqB3aM//Cwj0lY8MT0iSi1WhLObay4VhF0:1oNY8TB3//CwIlY8MIiSi1WpvvhF0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
752	Xeno.exe
4944	Xeno.exe
3712	Xeno.exe
5632	Xeno.exe
456	Xeno.exe
2540	Xeno.exe
4516	Xeno.exe
4080	Xeno.exe

Loads dropped DLL 40 IoCs

pid	Process
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com
49	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x00280000000451b4-135.dat	embeds_openssl

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2520	7zFM.exe
2520	7zFM.exe
2520	7zFM.exe
2520	7zFM.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
5632	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
456	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
2540	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4516	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe
4080	Xeno.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2520	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2520	7zFM.exe
Token: 35	2520	7zFM.exe
Token: SeSecurityPrivilege	2520	7zFM.exe
Token: SeSecurityPrivilege	2520	7zFM.exe
Token: SeSecurityPrivilege	2520	7zFM.exe
Token: SeSecurityPrivilege	2520	7zFM.exe
Token: SeSecurityPrivilege	2520	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2520	7zFM.exe
2520	7zFM.exe
2520	7zFM.exe
2520	7zFM.exe
2520	7zFM.exe
2520	7zFM.exe
2520	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 752	2520	7zFM.exe	87
PID 2520 wrote to memory of 752	2520	7zFM.exe	87
PID 2520 wrote to memory of 3712	2520	7zFM.exe	98
PID 2520 wrote to memory of 3712	2520	7zFM.exe	98

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.9-x64-New.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\7zO8D9B01A7\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8D9B01A7\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Users\Admin\AppData\Local\Temp\7zO8D9925E8\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8D9925E8\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:3712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2016

C:\Users\Admin\Desktop\e\Xeno.exe
"C:\Users\Admin\Desktop\e\Xeno.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Users\Admin\Desktop\e\Xeno.exe
"C:\Users\Admin\Desktop\e\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5632

C:\Users\Admin\Desktop\e\Xeno.exe
"C:\Users\Admin\Desktop\e\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Users\Admin\Desktop\e\Xeno.exe
"C:\Users\Admin\Desktop\e\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Users\Admin\Desktop\e\Xeno.exe
"C:\Users\Admin\Desktop\e\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Users\Admin\Desktop\e\Xeno.exe
"C:\Users\Admin\Desktop\e\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8D9B01A7\Xeno.exe

Filesize
140KB

MD5
4a2e503ab9a31880995e60ece8784b13

SHA1
5248db95700f5e600c824e736d8d1223f620ddf8

SHA256
5a7eb83a45bfb81b23485131a2f80820f3889c69c89257188ec6eb093f375dc9

SHA512
908f03a9901aea84df72fa70318aacf773ecd76465f5c9495a89c26e48e7c83c0fadce4fe58e1f7567a3a76f125a9245a18a1b5d5b0d076e15baf3c843a093b5

Download Submit
C:\Users\Admin\Desktop\e\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\Users\Admin\Desktop\e\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
4a292c5c2abf1aab91dee8eecafe0ab6

SHA1
369e788108e5fb0608a803fa2e5a06690b4464b5

SHA256
b628d6133bf57b7482a49aa158e45b078df73ee7d33137ac1336d24ac67ed1b4

SHA512
ca22adfff9789730e4c02343e320d80b8466cfc5a15f662cefe376b7ee29dea571004c1c26cd3f50c0d24e646f2b36b53fa86835678f46f335d65eec52431cde

Download Submit
C:\Users\Admin\Desktop\e\Newtonsoft.Json.dll

Filesize
695KB

MD5
adf3e3eecde20b7c9661e9c47106a14a

SHA1
f3130f7fd4b414b5aec04eb87ed800eb84dd2154

SHA256
22c649f75fce5be7c7ccda8880473b634ef69ecf33f5d1ab8ad892caf47d5a07

SHA512
6a644bfd4544950ed2d39190393b716c8314f551488380ec8bd35b5062aa143342dfd145e92e3b6b81e80285cac108d201b6bbd160cb768dc002c49f4c603c0b

Download Submit
C:\Users\Admin\Desktop\e\Xeno.dll

Filesize
939KB

MD5
29ab914d1bf45fa2b4d999623db6a44a

SHA1
2af8dd013f7f87cf33e9fe95915bebd6d35e73b3

SHA256
1db967c913802e648fc8c70da9a09f9ba3d5f3ffbf09caf41e4de4ca6f0f54b3

SHA512
001b2d3ad39c01fb181b30764892267f1d5b09c76baf27ecaabd8df70b276c22b0f96f0944b7239ccd1668e68b112090e766be468dfbd300311c4bec6d79c092

Download Submit
C:\Users\Admin\Desktop\e\XenoUI.deps.json

Filesize
2KB

MD5
5a6f595e20ec811e25737019810cac58

SHA1
5bb6c2e764bd86cd7cbb041a9bb5f7e198331a1d

SHA256
8469498480ead9fec50de420d705f820a0997ebf18579f2f5ada5b7b5d420300

SHA512
de0c0d9bb59589cfa676546a78fd0f93f3486cb420d7f8a973d5c770ecd64936f2f5f1506e70515b0b21ff7a0706283e4677ec73c5ece6cd7e8c4eb478a7aa83

Download Submit
C:\Users\Admin\Desktop\e\XenoUI.dll

Filesize
73KB

MD5
3afc560eeab3dd7c4d4d1efa121e7645

SHA1
da16e9d49d77ca9af5aad37ba638418253e27eef

SHA256
962b2f5dfc883b9dfdf0b996c797b7c67da75fbb8a5fdcb965c2ba0d684caa79

SHA512
7dc2a12412fbfdfe59eb3fd4d2b96bd90fb6bc2b3a3c27c989dd60c7e705f927bd959547c1e15c9ef1df21a388ac3ead189802e12e533a2260c32577c12f9874

Download Submit
C:\Users\Admin\Desktop\e\XenoUI.runtimeconfig.json

Filesize
458B

MD5
07b9a30265ca4e69c7016a1b6e3ffc27

SHA1
3a4af82a2695b1423aedd8b60a5c86793c011b02

SHA256
c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782

SHA512
efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

Download Submit
C:\Users\Admin\Desktop\e\bin\Tabs\config.json

Filesize
81B

MD5
4ca63e045869245351e9dffbca730f0c

SHA1
d9f87b04e4f80e96ee4ad31d00e5e4149fddd2a3

SHA256
d562284973aac173bab0fb16bf778c9baa1d222f087eb2f044feec7c754cd90a

SHA512
862f78623a747246e70302da2ca7a66ce9c1a4f624f2b908d092ae151e2a16eaea3a7de38a55475ced014d359864fdad25a4ed1d21149cdc5f0841aa37ded145

Download Submit
C:\Users\Admin\Desktop\e\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
e3e4236c4483dbe1bc5954fd63c965b8

SHA1
ae8b364d2e43221466f2aa3f3c9412a713214c53

SHA256
923d7641e3655c627b80dfd63bd5e701a26e9b8b6186d56b901a60cb57494901

SHA512
7130ee5db3c7570f68b454df138926ac710e9095f1e4ff7d74ef0e329e793d20fe95eb6409730203cc706410c3efd2cf6b1c1eab26a655d29a1f74673cc8abc8

Download Submit
C:\Users\Admin\Desktop\e\libssl-3-x64.dll

Filesize
802KB

MD5
4e2a30eba5388b0fe1838137a61ac255

SHA1
b6563a03f357478632d38f0f5ed28feb2af2ccf8

SHA256
ce0c322e48b95a719cd51728471e04197448d9f2ae1d0be0c99a745833dfd3a2

SHA512
4480c658eb4e3563f2622ba2a7f1f80a73e1f5aa27753030e1a7a8ca3abf07656067604e8042ca943d9cefc2524c830250dacf08ea7fc45d3bd7fa963b579917

Download Submit
C:\Users\Admin\Desktop\e\runtimes\win-x64\native\WebView2Loader.dll

Filesize
161KB

MD5
c5f0c46e91f354c58ecec864614157d7

SHA1
cb6f85c0b716b4fc3810deb3eb9053beb07e803c

SHA256
465a7ddfb3a0da4c3965daf2ad6ac7548513f42329b58aebc337311c10ea0a6f

SHA512
287756078aa08130907bd8601b957e9e006cef9f5c6765df25cfaa64ddd0fff7d92ffa11f10a00a4028687f3220efda8c64008dbcf205bedae5da296e3896e91

Download Submit
C:\Users\Admin\Desktop\e\xxhash.dll

Filesize
46KB

MD5
0e9fecea29b2b3d5ef064e112436e9d1

SHA1
69423218652f7837766ce03fe9edeaf751266cc5

SHA256
73c84884a2ccde1d10bec0820a6661920e70e4b53fa99ad510acf5ed1b36af97

SHA512
bd57bc9b8298faffc091b928537794a50c81d985d60edba7863e2976846cb08fd469c6054ff7ec574df6f0a2aea1fb72ed9cff44fa219e834129876293cd2e93

Download Submit
C:\Users\Admin\Desktop\e\zstd.dll

Filesize
638KB

MD5
567198a0119e3e2ec94208f1cda7aa28

SHA1
350224b13d1cc2f944a4a2bdd951e9ef80be5784

SHA256
6c63d08182dede465c95e48a235894e598a61cc24e0ba4556637cc9c1a1e0951

SHA512
ed01636af37932dca7aa7709389dba184e16f93aa3be4fe622850df0f791c85111367a10434edf0c986079069a3574e0acdbbac4d9cae9c58fc01f9f034f40ec

Download Submit