Analysis
-
max time kernel
20s -
max time network
24s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
21-11-2024 12:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Xanax.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
Xanax.exe
Resource
win11-20241007-en
windows11-21h2-x64
5 signatures
150 seconds
General
-
Target
Xanax.exe
-
Size
33.2MB
-
MD5
9f7d92ebb896f41a861c0da6a1dcfa35
-
SHA1
b7d53e7ca684eb77fe5e1c542ed7bc86b4469c03
-
SHA256
301140e85d0887413ff368e5c9531194b9358b14cabe5b4b458dac2f012c026f
-
SHA512
5f3d882fc585739ca03b7acdbbbace91076e483bd5775d28872a766fb2ed2ef7223a33f3487c3c8f93b305dba6a8aa2dd1d8d3be56e22e1782b10169f2b96b0f
-
SSDEEP
786432:DpaO1UVRW/Qg97ujytT/GjkvDsQUj00EKDGCIyn8p7fs:DEO1nxyy5/gzQUNSFfs
Score
5/10
Malware Config
Signatures
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe -
Kills process with taskkill 1 IoCs
pid Process 4324 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe 2424 Xanax.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4324 taskkill.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2424 wrote to memory of 4496 2424 Xanax.exe 85 PID 2424 wrote to memory of 4496 2424 Xanax.exe 85 PID 4496 wrote to memory of 3868 4496 cmd.exe 86 PID 4496 wrote to memory of 3868 4496 cmd.exe 86 PID 2424 wrote to memory of 4852 2424 Xanax.exe 87 PID 2424 wrote to memory of 4852 2424 Xanax.exe 87 PID 2424 wrote to memory of 536 2424 Xanax.exe 88 PID 2424 wrote to memory of 536 2424 Xanax.exe 88 PID 536 wrote to memory of 4324 536 cmd.exe 89 PID 536 wrote to memory of 4324 536 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xanax.exe"C:\Users\Admin\AppData\Local\Temp\Xanax.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode 58,282⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\mode.commode 58,283⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title Xanax - Hardware Virtualization2⤵PID:4852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im KsDumperClient.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\taskkill.exetaskkill /f /im KsDumperClient.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-