d1e7714f6debb08fe5590206aa394d3610f4dfa9a847ced426a967ed15889e99

Resubmissions

19/11/2024, 19:04

241119-xrchas1dpk 7

19/11/2024, 19:03

241119-xqbjlsvpfk 1

Analysis

max time kernel
106s
max time network
100s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19/11/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ХеnоВ-v1.0.91-x64-Вооstrap.zip
Size

55.1MB
MD5

dca9822d6c24ad381110ed6397f2fc7a
SHA1

7e06df7efc6eda6e51c42f77e16badd4fba0ad6a
SHA256

d1e7714f6debb08fe5590206aa394d3610f4dfa9a847ced426a967ed15889e99
SHA512

f573e4dbf08a718a4c55ac03d885acd5133bf7ffbae08b53a5a85d5a411520130e2b31d77f287b61444d391260b86eeaedec391c6f469cbbdfd07c0053294633
SSDEEP

1572864:dEBlnAZ3zdHUpRRbtB7D1D2slkZk6xf15z01WcZQxCG+9:dwWpHUpb5dD5691VGQYB9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
412	XenoВ.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoВ.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4000	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	7zFM.exe
5044	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5044	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	5044	7zFM.exe
Token: 35	5044	7zFM.exe
Token: SeSecurityPrivilege	5044	7zFM.exe
Token: SeSecurityPrivilege	5044	7zFM.exe
Token: SeSecurityPrivilege	5044	7zFM.exe
Token: SeSecurityPrivilege	5044	7zFM.exe
Token: SeSecurityPrivilege	5044	7zFM.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
5044	7zFM.exe
5044	7zFM.exe
4000	NOTEPAD.EXE
5044	7zFM.exe
5044	7zFM.exe
5044	7zFM.exe
5044	7zFM.exe
5044	7zFM.exe
5044	7zFM.exe
5044	7zFM.exe
5044	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2648	OpenWith.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 4000	5044	7zFM.exe	90
PID 5044 wrote to memory of 4000	5044	7zFM.exe	90
PID 5044 wrote to memory of 412	5044	7zFM.exe	91
PID 5044 wrote to memory of 412	5044	7zFM.exe	91
PID 5044 wrote to memory of 412	5044	7zFM.exe	91

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ХеnоВ-v1.0.91-x64-Вооstrap.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4B33D448\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  - Suspicious use of FindShellTrayWindow
  PID:4000
- C:\Users\Admin\AppData\Local\Temp\7zO4B324AC8\XenoВ.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B324AC8\XenoВ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4B31E3B8\Dex.lua

Filesize
410KB

MD5
e37374a8aa47cf8ac6d56901436e199f

SHA1
5d62f5db07614f3b548702faa4f7a06e235c9b12

SHA256
47cc5f1102fda0eba76b9570a1b943326f2170f270d5280e1f8dd5723c43fc14

SHA512
efee19e8109a48d49f099dd1767c722935123c4ea4d6e0ab905703e16fcb7196d31c45826d4398a5b7249e686ca90db3f671416909ce3440d4709edf1bd55775

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4B324AC8\XenoВ.exe

Filesize
5.9MB

MD5
dfda0bccbf991a3c18c3b227bc368613

SHA1
f114fe091e2e3214d37ddd01deb5dac4efa5b114

SHA256
c8462645fc42ca3b607a5b2e9e71e5acef02a6d2b16eb3e7e239978e8694ffb0

SHA512
64ce275167351712ce552a68482841a0703b85a236a028632b20f9d62e00063541494919f191cb80de536172853d89c5d161b17dbd9a9e1ac0334c894930156c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4B33D448\README.txt

Filesize
116B

MD5
c4a4951af1fa873001f20d417b911300

SHA1
716446b4cb405a88d51b3ca5f682ef2b5dea5be7

SHA256
f5d5dcf0bf3cfe86d237d5b998112c3ac734dcfbd0ae3cf4b820bc9ce607ca43

SHA512
935999bc3ba6c10535fded350f9cd1cd9500f50e4f2707a0f91f7111aefca72fbc3e2de0bcba70763f84ca01c8cf885714175c4100a9f51564a18da2c048f53b

Download Submit
memory/412-29-0x0000000001510000-0x0000000001572000-memory.dmp

Filesize
392KB

Download
memory/412-21-0x0000000003380000-0x000000000354F000-memory.dmp

Filesize
1.8MB

Download
memory/412-22-0x0000000003380000-0x000000000354F000-memory.dmp

Filesize
1.8MB

Download
memory/412-25-0x0000000001510000-0x0000000001572000-memory.dmp

Filesize
392KB

Download
memory/412-27-0x0000000001510000-0x0000000001572000-memory.dmp

Filesize
392KB

Download
memory/412-20-0x0000000002E10000-0x0000000002F82000-memory.dmp

Filesize
1.4MB

Download
memory/412-28-0x0000000001510000-0x0000000001572000-memory.dmp

Filesize
392KB

Download
memory/412-26-0x0000000001510000-0x0000000001572000-memory.dmp

Filesize
392KB

Download
memory/412-30-0x0000000003380000-0x000000000354F000-memory.dmp

Filesize
1.8MB

Download
memory/412-24-0x0000000001510000-0x0000000001572000-memory.dmp

Filesize
392KB

Download
memory/412-23-0x0000000001510000-0x0000000001572000-memory.dmp

Filesize
392KB

Download
memory/412-31-0x0000000000180000-0x0000000000770000-memory.dmp

Filesize
5.9MB

Download
memory/412-19-0x0000000000180000-0x0000000000770000-memory.dmp

Filesize
5.9MB

Download